Payers, Vendors Impose Security Certification on Business Associates
At least seven healthcare insurers and vendors are requiring their business associates to successfully conduct a comprehensive assessment of their information technology privacy and security status and obtain a certification of completion within the next two years.
At least seven healthcare insurers and vendors are requiring their business associates to successfully conduct a comprehensive assessment of their information technology privacy and security status and obtain a certification of completion within the next two years.
The insurers and vendors are members of industry security consortium HITRUST, which among other initiatives offers the CSF Assurance Program, a standardized process for assessing and certifying compliance with internal processes, HIPAA, HITECH, credit-debit card processing, and state rules and regulations. CSF stands for Common Security Framework, a platform that supports numerous HITRUST programs.
Insurers Anthem, Healthcare Services Corp., Highmark, Humana and UnitedHealth Group are imposing the assessments and remediation work on their business associates, as are information technology vendors athenahealth and Availity. The insurers alone have more than 7,500 business associates.
Also See: New Service IDs Cyber Threats before They Hit
Highmark has spent the past 1.5 years enhancing its security protections, says Omar Khawaja, chief information security officer. But when information leaves the organization, it still needs strong security controls.
We do onsite assessments and send questionnaires, but cant review all with a couple thousand suppliers, he adds. So, requiring BAs to go through the HITRUST assessment process and receive certification makes the entire ecosystem more secure and efficient. The bottom line is that Highmark expects its BAs to keep information as secure as the insurer does.
The insurer is working with its vendors to identify start dates for the assessment/certification process; the dates could start with renewal of a contract or at another time. Certification is for two years with interim follow-up work done midway through.
Highmark itself expects to certify in a few months and understands that BAs will need time to prepare, Khawaja says. If we had picked a narrow scope, we could have been done some time ago. The CSF Assurance Program, he adds, is comprehensive but very doable.
The insurers and vendors are members of industry security consortium HITRUST, which among other initiatives offers the CSF Assurance Program, a standardized process for assessing and certifying compliance with internal processes, HIPAA, HITECH, credit-debit card processing, and state rules and regulations. CSF stands for Common Security Framework, a platform that supports numerous HITRUST programs.
Insurers Anthem, Healthcare Services Corp., Highmark, Humana and UnitedHealth Group are imposing the assessments and remediation work on their business associates, as are information technology vendors athenahealth and Availity. The insurers alone have more than 7,500 business associates.
Also See: New Service IDs Cyber Threats before They Hit
Highmark has spent the past 1.5 years enhancing its security protections, says Omar Khawaja, chief information security officer. But when information leaves the organization, it still needs strong security controls.
We do onsite assessments and send questionnaires, but cant review all with a couple thousand suppliers, he adds. So, requiring BAs to go through the HITRUST assessment process and receive certification makes the entire ecosystem more secure and efficient. The bottom line is that Highmark expects its BAs to keep information as secure as the insurer does.
The insurer is working with its vendors to identify start dates for the assessment/certification process; the dates could start with renewal of a contract or at another time. Certification is for two years with interim follow-up work done midway through.
Highmark itself expects to certify in a few months and understands that BAs will need time to prepare, Khawaja says. If we had picked a narrow scope, we could have been done some time ago. The CSF Assurance Program, he adds, is comprehensive but very doable.
More for you
Loading data for hdm_tax_topic #care-team-experience...