Reports of the industry’s data breaches have been grabbing headlines for several years now. The challenge for healthcare organizations is to go beyond acknowledging vulnerabilities and to do something about them. But what? And, how?
Between 2009 and 2018, the healthcare industry experienced 2,546 healthcare data breaches involving more than 500 records. These breaches resulted in the theft or exposure of 189,945,874 healthcare records.1
While startling, such statistics are nothing new. In fact, reports of the industry’s data breaches have been grabbing headlines for several years now. The challenge for healthcare organizations is to go beyond acknowledging vulnerabilities and to do something about them. But what? And, how?
A plethora of federal and state regulations address the “what” question by directing healthcare organizations to protect health data.
“Healthcare is a heavily regulated industry so there are plenty of federal and state level regulations that tell organizations that they need to protect certain types of data but these regulations can be pretty vague and don’t necessarily tell you “how” to meet the compliance requirements. That’s where compliance frameworks come in,” said Brenton McKinney, Vice President of Security at Medecision.
The Health Information Trust Alliance (HITRUST), for example, provides the depth and breadth of controls organizations need to efficiently and effectively assess the strength of their risk-based protection programs and their compliance with multiple regimes through one assessment. In addition, the compliance framework integrates and cross-references multiple authoritative sources such as ISO, NIST, PCI, and HIPAA as well as state requirements.
As such, HITRUST helps health plans, provider organizations and vendors more systematically address security concerns. More specifically, HITRUST empowers healthcare organizations to:
Move from inertia to action. When trying to establish a security program, healthcare organizations often don’t know where to begin. “HITRUST first and foremost can help organizations establish security programs by walking you through the process and helping you define the components, or the right Technical, Organizational, and Administrative controls that are needed. So, it systematically helps you build your security program,” McKinney said.
Assess risk. When seeking HITRUST certification, a third-party accessor who is authorized by HITRUST to work with healthcare organizations to conduct “initial gap assessments that allow you to know where your organization stands and identify the future state in order to make risk-based prioritized decisions to actually achieve HITRUST certification,” McKinney said.
Offer a prescriptive, yet flexible, framework tailored to each organization’s needs. “The framework guides healthcare organizations through all the different components or domains, whether it’s access control, auditing, protecting endpoints, training, vendor management, or how to protect data in-transit or at-rest. it gets very detailed and can help guide you through the proper level of due diligence and controls needed to protect sensitive data,” McKinney said.
Zero in on relevant risk areas. “The framework makes it possible for your organization to select the ‘factors’ that apply to you. An organization can systematically select the applicable state laws . And, you can select factors that correspond to certain elements of your business — such as PCI, GDPR, or operating in the cloud. So, this allows you to scope and apply only those controls that are relevant to your organization’s operating model,” McKinney pointed out.
Manage vendors. “Vendor management is one of the most difficult things to manage for any organization. Businesses are increasingly using 3rd party, and even 4th and 5th parties for various business reasons. Not every vendor should be treated the same. By implementing a tiered system based upon risk can help organizations manage the various types of 3rd party engagements such as software integrations, services providers, or contractors. A vendor dealing directly with protected health information (PHI) data would be considered high risk, for instance, whereas if a vendor is offering a back-office system, it may not be ranked as high,” McKinney said.
Health plans or providers could reduce the burden placed on internal audit teams when conducting lengthy vendor assessments or on-site audits. Requiring your 3rd parties to achieve HITRUST certification as part of the contract negotiation process can help lower costs and time by accepting the trust and credibility the framework represents.
Participating in, and achieving, HITRUST certification can help healthcare organizations improve data security practices. It’s important to understand exactly what HITRUST does and does not do, however. For example, HITRUST does not deem health plans, provider organizations or vendor organizations as being certified but rather certifies specific systems, applications, processes or environments.
In addition, HITRUST compliance doesn’t directly translate into iron-clad security. “HITRUST and other compliance initiatives can establish that your organization’s systems and processes have met certain standards. And, being compliant is necessary, but compliance doesn’t always equate to absolute security,” McKinney concluded. “Privacy and security are moving targets with no end-state because threats are constantly evolving. Every single day the attackers are getting better and better. There are new vulnerabilities that are being discovered across every industry and every technology. What was secure yesterday is not necessarily secure tomorrow. You’ve got to continually improve because things are constantly changing. And, remember, hackers only have to be right one time to breach your data. You have to be right all of the time to protect it.”
1 HIPAA Journal. Healthcare Data Statistics. https://www.hipaajournal.com/healthcare-data-breach-statistics/