Over the past two decades, the healthcare industry has undergone a seismic shift in the way that processes are operated and regulated. Thanks to revolutionary technological innovations and several sweeping pieces of legislation, healthcare entities have been strongarmed into changing with the times. The most notable example of this exodus-of-sorts is the medical industry’s shift in how they store confidential client information, painfully transitioning from physical record keeping to a digital storage format.
This forced change in practices was met with grumbling by some and flat out refusal by others, resulting in a lack of continuity, noncompliance, or only partial compliance. Naturally, the lack of cohesion created a virtual, frenzied feeding ground for hackers and cyber criminals seeking access to patient’s personal data. In response to this rampant rise in digital crime, the HITRUST framework was erected. Today, this security audit system forms the best defense against malicious attacks. So, if you’re a healthcare company, you’ll want to obtain a HITRUST certification.
Read on to discover how you can go about the process!
Who Needs HITRUST Certification?
In a day and age where current technology mandates that companies jump through several hoops to ensure that they are mitigating risk and protecting important private data, a framework such as HITRUST’s is a godsend, particularly due to the fact that there are so many overlapping controls and regulations springing from several different laws.
Although HITRUST Certification is not federally mandated for any business, several of the compliance controls as required by HIPAA or HITECH are covered by its prescriptive framework. It’s widely considered to be the most thorough and comprehensive since it’s tailored to bring a healthcare entity into compliance with various standards such as:
According to the HITRUST Alliance:
- The HITRUST CSF is the most widely adopted security framework in the healthcare industry: 81 percent of hospitals and 80 percent of health plans have adopted the framework in some way, either as a best practices resource or as the basis for their information protection program.
- 38,000 CSF Assessments have been performed in the last three years with 15,000 CSF Assessments in 2015 alone. HITRUST anticipates continued demand for CSF Certification due to third-party assurance requirements from several major health organizations and requests for combined SOC 2 + HITRUST reports.
If recent trends are any indicator, a growing number of organizations directly related to the healthcare industry will be utilizing the HITRUST CSF Framework in order to ensure that they are HIPAA compliant. In addition, it appears as if more and more healthcare companies will require their business associates to also become certified. Health Care Services Corporation CISO, Ray Biondo, had this to say on the subject:
Health Care Services Corp. decided to require its BAs to earn HITRUST CSF certification so the insurer can better determine that its vendors are taking specific measures to safeguard patient data. While HCSC already audits vendors for data security, the process is costly and time-consuming, Biondo says. By requiring all it’s BAs to obtain HITRUST CSF certification within the next 24 months, the insurer will be able to more cost-effectively assess its BA’s efforts.
HIPAA – The Reason for HITRUST’s Existence
In order to fully understand HITRUST, it’s essential to go back to where everything started, the Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA. Pushed by President Clinton, this sweeping piece of legislation was created to outline data privacy and security provisions in order to:
- Encourage healthcare entities to transition to digital record-keeping
- Keep digitally stored, used, or disseminated medical information safe
It was composed of 5 titles:
- HIPAA Health Insurance Reform – Preserves health insurance coverage for people who change jobs or are fired. It also stated that group health plans were not allowed to deny coverage to people with preexisting conditions.
- HIPAA Administrative Simplification – Ordered the Department of Health and Human Services [HHS] to create a national standard for processing electronic healthcare transactions.
- HIPAA Tax-Related Health Provisions – Contained provisions and guidelines related to taxes and medical care.
- Application and Enforcement of Group Health Plan Requirements – Added definitions and provisions related to health insurance reform.
- Revenue Offsets – Provisions on company-owned life insurance and guidelines for dealing with people who lose citizenship because of tax issues.
Of the five titles, HIPAA Title II is what most refer to when they say that they are “HIPAA compliant” However, as time passed several addendums or standards were added to better enforce the rules and regulations of HIPAA and Title II. These include:
- National Provider Identifier Standard
- Transactions and Code Sets Standard
- HIPAA Privacy Rule
- HIPAA Security Rule
- HIPAA Enforcement Rule
Although there were good intentions behind the HIPAA rollout, it and the subsequent addendums failed to enact ubiquitous standards, prescriptive compliance frameworks, and enforcement mechanisms. In response to these glaring issues, several leading figures and companies within the healthcare and IT realms came together to form the HITRUST Alliance.
What is HITRUST?
Because of the subjective nature of HIPAA’s “reasonable and appropriate” measures, there were no universal standards in place for compliance. That is until the Health Information Trust [HITRUST] Alliance was created. This entity worked tirelessly to produce the Common Security Framework [CSF] is an amalgamation of previously created security frameworks.
Their goal for the CSF was for it to function as a prescriptive slate of controls that would compel observance of the rules and regulations as outlined in HIPAA and HITECH. According to HITRUST the underlying reasons for the formation of the group and the creation of the Common Security Framework were:
The HITRUST alliance was born out of the belief that information security is critical to the broad adoption, utilization, and confidence in health information systems, medical technologies and electronic exchanges of health information, and in turn, realizing the promise for quality improvement and cost containment in the American healthcare system.
Today, security and compliance are integral aspects of any form of healthcare technology. HITRUST sought to fix HIPAA’s lack of standardized framework, certifying body, and process. In doing so, they have made it easier for vendors to protect their important records and demonstrate their compliance.
The HITRUST CSF
Per Healthcare Weekly, HITRUST’s CSF has several tangible benefits. It accomplishes the following:
- “Includes, harmonizes and cross-references existing, globally recognized standards, regulations and business requirements, including ISO, NIST, PCI, HIPAA and State laws;
- Scales controls according to type, size, and complexity of an organization;
- Provides prescriptive requirements to ensure clarity;
- Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds;
- Allows for the adoption of alternate controls when necessary;
- Evolves according to user input and changing conditions in the industry and regulatory environment on an annual basis;
- Provides an industry-wide approach for managing Business Associate compliance.”
But what is it exactly?
The CSF consists of 19 control categories known as domains. They are:
- Information Protection Program
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Wireless Protection
- Configuration Management
- Vulnerability Management
- Network Protection
- Transmission Protection
- Password Management
- Access Control
- Audit Logging & Monitoring
- Education, Training & Awareness
- Third Party Security
- Incident Management
- Business Continuity & Disaster Recovery
- Risk Management
- Physical & Environmental Security
- Data Protection & Privacy
Within these 19 domains are 135 HITRUST specific controls, all of which were outlined in order to provide 360-degree protection around your business, warding it from both employee incompetence and malicious intruders.
How Do I Become HITRUST Certified?
In order to obtain your HITRUST Certification, you will have to follow four steps during a process lasting several months. The first three of the steps are also known as the CSF Degrees of Assurance. They are:
- Step/Degree 1: Self Assessment of Internal Operations – Becoming HITRUST certified starts with a comprehensive, in-house audit based upon the framework provided by HITRUST. During this period, you will appoint a team leader who will manage the audit team, conduct the audit, and present findings and prescriptions to executive leadership.
This process gives your business a much clearer picture of where it stands in regards to compliance (and where it fails). It then gives you ample time to course-correct or conduct remediation. Once prescriptive actions have been taken, your business is ready to move on to the next step.
- Step/Degree 2: CSF Validated – At this point, a third-party, on-site audit must take place. In order to receive validation, the third-party auditor must be a HITRUST-Certified CSF Assessor. During this stage, the assessor will examine all the relevant documentation:
- Technical configurations
- Risk assessments
- Remediation efforts
Over the space of two to four months, the assessor will compare these measures against the CSF in order to confirm that your business is, in fact, complying with the various rules and regulations. If given the green light, the assessor will present your organization with a CSF Validated Report.
- Step/Degree 3: CSF Certification – Once the first two steps are completed, your business will then upload all the relevant documentation online in order for the lawyers at the HITRUST Alliance to review and conduct an additional audit. During this review, they will seek to confirm whether or not all of the HITRUST standards were indeed met.
Depending on the size, scope, and complexity of your business this could take anywhere from 3 to 24 months. After, if HITRUST declares that your business has passed, it will present you with a CSF Certificate.
- Step 4: Rinse and Repeat – Obtaining HITRUST Certification is an annual task. As a result, you’ll have to repeat the process every single year. Fortunately, it won’t be as onerous a task as the first time around due to the fact that most aspects of your organization will already be in compliance. Therefore, only small tweaks or changes will have to be made, arising from changes in technology or laws.
The Costs of HITRUST
Naturally, you might read this and wonder what the cost of this entire audit process is. For clarification, it’s helpful to split it into two categories—direct and indirect costs.
- Direct Costs – The brunt of the direct costs include the fees to HITRUST and the payments to the assessor. For small to medium-sized organizations, this will typically run between $20,000 to $200,000 but can be significantly higher for larger entities. In addition, the self-assessment costs approximately $2,500 for three months of access. Also, there are the application submission and scoring fees which cost roughly $4,000.
- Indirect Costs – As you might imagine, there will be a hefty amount of manhours and employee time spent during the audits and after in order to address the glaring problems. This figure is much more difficult to quantify but is one you should keep in mind.
Despite the upfront costs, over the course of your organization’s life, failures to comply with HIPAA and HITECH (or data breaches) could cost your business exponentially more money. So, if you wish to protect both your business and your clients, it’s well worth it. On top of that, as the number of healthcare entities that are CSF certified continues to grow, it will be harder and harder to compete in the marketplace should you fail to demonstrate the same compliance and adherence.
RSI Security and HITRUST
This process takes a concerted amount of time and effort, therefore it’s helpful to have someone with experience at your side who knows the ins and outs of HITRUST. That’s where the team at RSI Security comes in. If you need an assessor or a guide through the process, we stand willing and able. Reach out today and we can help you take the prudent steps towards certification.
HITRUST. How many organizations have adopted the CSF? Do you have a breakdown by type, size, location. https://hitrustalliance.net/frequently-asked/1/en/topic/how-many-organizations-have-adopted-the-csf-do-you-have-a-breakdown-by-type-size-location-etc-2
McGee, M. Gov Info Security. Should BAs Be HITRUST-Certified? (2015). https://www.govinfosecurity.com/should-bas-be-hitrust-certified-a-8366
HITRUST. Health Information Trust Alliance (HITRUST) Concurs with The American Recover and Reinvestment Act of 2009 Stimulus Bill on Importance of Privacy and Security. (2009).
Bulgru, I. Healthcare Weekly. The ultimate guide to HITRUST Certification: Timelines, Fees & Process. (2019). https://healthcareweekly.com/hitrust-guide-2019/