Among the priorities of healthcare organizations and their associated business partners, protecting patient information is second only to providing quality care. Loss of patient information can jeopardize care – the first priority – as well as cause an organization to become out of compliance with government and industry regulations. It also can be costly in terms of remediation, regulatory fines and reputational damage.
The responsibility is compounded with the use of electronic health records (EHRs). In 2009, when only 10 percent of healthcare facilities in the United States used electronic health records, the government adopted the Health Information Technology for Economic and Clinical Health (HITECH) Act (part of the American Recovery and Reinvestment Act) to encourage the use of EHRs in all healthcare organizations and related third parties, and offered financial incentives to spur the initiative. By 2015, healthcare organizations and associated third parties that had switched to EHRs had become well aware of the risks associated with sharing patient information with business associates in a new world of connected, electronic healthcare, and today data protection represents a critical priority for healthcare providers.
EHR sharing among doctors, hospitals, insurance companies, pharmacies and third-party business associates makes protecting this information that much more complicated and critical. The difficulty in securing this information has not been lost on hackers. Medical records contain a wealth of information that can be used for identity theft and fraud (such as Social Security number, home address or claims data). Personal health information, in fact, carries a higher value on the black market than credit card data. Indeed, while a credit card record might fetch $2 on the black market, a medical record can average more than $20, according to a June 2015 report by the Workgroup for Electronic Data Interchange (WEDI), a nonprofit association for users of electronic data interchange in healthcare.
Challenges and Opportunities
Healthcare organizations operate under a complex web of compliance and security obligations, resulting from their interactions with a variety of business associates and third parties, including providers, payers, EHR vendors and others who, given their access to patient and medical data, are themselves subject to regulatory oversight. Any one of the participating entities may implement and operate its own information security program, and many have. These diverse programs have resulted in the need to respond to a different set of requirements and criteria in each contracting process.
All of these organizations already are required to meet diverse information security and privacy requirements, including the Health Insurance Portability and Accountability Act (HIPAA) and HITECH. These regulatory requirements, however, may not provide specific and comprehensive implementation guidance for EHR-related security controls.
In this complicated environment, what should healthcare organizations and associated third parties do to better demonstrate to regulators their capacities for protecting sensitive patient data? Given the large and interdependent ecosystem of controlling entities and business associates, what can be done to effectively communicate the strength of the information security defenses of each of the participants in the system?
Our Point of View
Healthcare organizations and their business associates and third parties should adopt the Health Information Trust (HITRUST) Common Security Framework (CSF) Assurance Program as a practical approach to respond to uniform requirements, and to achieve consistent, measurable assessments that are emerging as an industry standard.
The HITRUST Alliance, in collaboration with healthcare, technology and information security leaders, developed this framework to provide a clear and concise structure to guide health information security initiatives. Created by leveraging existing standards and regulatory requirements, it includes 149 control specifications, incorporating requirements from ISO, NIST, and HIPAA. It complements certification activity already underway in many organizations. It is a logical extension of the HIPAA and HITECH guidance, defining specific control elements to support general guidance those regulations provide.
Adoption of the HITRUST CSF Assurance Program has been rapid and is providing a common understanding and parlance of security strength. Industry leaders, including Anthem, Highmark, Humana and UnitedHealth Group, already have announced they will be requiring CSF certification as evidence of compliance from their business associates. In addition, several other healthcare providers have announced their preference for CSF certification from their trading associates. The HITRUST Alliance recognized early that improvements to information security and privacy would be critical to broad adoption, utilization, and confidence in healthcare information systems. Their CSF Assurance Program aligns diverse healthcare information security and privacy requirements to provide a uniform framework for healthcare organizations and their partners to assess and confirm information security and privacy across enterprises and systems.
How We Help Companies Succeed
Protiviti provides security strategy, process and implementation services to help improve an organization’s information security needs. With regard to HITRUST CSF certification, we have assisted our clients in three key areas:
- Gap analysis – We assess the current state of an organization’s information security implementation, compare it to the HITRUST CSF standards and define areas in which changes need to be made.
- Remediation definition and assistance – We help define a path to attaining CSF compliance, implement the requisite changes and ensure they are providing the operational value expected.
- Certification support – As one of a small number of Certified CSF Assessors, Protiviti has the ability to analyze an enterprise environment and prepare documentation the HITRUST Alliance requires for certification.
Our clients tell us that pursuing HITRUST certification provides several benefits to them:
- Independent verification – The organization verifies to patients, partners and members that its information security practices are an imperative and meet industry-defined standards.
- Risk mitigation – The organization obtains a clear and comprehensive understanding of its information risk exposure using the CSF.
- Competitive advantage – Healthcare organizations want business partners that they can trust to retain and protect their patient information.
- Industry validation – The organization relies on the collective decisions of an industry group as validation for which security controls are appropriate.
- Improved partner security – The CSF provides the benchmark by which an organization can measure business associates to quantify the risks of sharing data.
- Simplified compliance management and reduced audit overlap – The CSF supports the compliance reviews and documentation of other major security standards, thereby reducing the time spent on overlapping audits.
Our client experienced a data breach and was looking for help to become compliant very rapidly with new industry security standards. To assist our client, Protiviti’s IT Security and Privacy professionals:
- Proposed a remediation approach to reduce scope and cost without compromising security effectiveness.
- Designed and implemented a secure network architecture for the organization.
- Developed 30 policies related to IT processes and performed internal and external network security penetration tests.
Within six months, our professionals had designed and implemented a secure architecture, including secure encryption and tokenization of credit card numbers, intrusion detection, log consolidation and file integrity monitoring. Following the project’s completion, Protiviti issued a report validating our client’s compliance with industry security standards.