Why stringent security certification is becoming a necessity
With the growing security threats facing healthcare organizations, 2018 is looming as a year to improve security protection for data.
That point was driven home this past week by a reported ransomware attack this week that crippled Allscripts, which offers cloud-based electronic health records services. It’s clear that ransomware and other forms of cyberattacks can hobble any healthcare organization.
While information security is increasingly critical in all industries, it is arguably most so for hospitals and health systems entrusted with such sensitive patient data that a breach could not only mean a devastating reputational loss, but likely also an expensive legal battle.
According to KPMG, 81 percent of healthcare organizations were compromised by cyberattacks over a two-year period between 2013 and 2015. Bringing those results to the present, it’s clear that the question is not “if” an attack will occur, but “when,” and thus whether a hospital or health system can prove it’s prepared to mitigate the attack, minimize the damage and follow all paths possible to protect sensitive data.
Developed in collaboration with information security professionals, HITRUST CSF “rationalizes relevant regulations and standards into a single overarching security framework,” a tall order in the healthcare industry, where regulations are complex and ever changing. Documented compliance with this stringent framework can help hospital and health system IT executives better protect patient data.
Here are four keys to understanding and pursuing HITRUST certification.
HITRUST certification isn’t just for vendors. Perhaps one of the most common HITRUST CSF misconceptions is that it’s a certification exclusively for vendors. By contrast, it has been widely adopted by both covered entities (health systems and providers) and business associates (vendors) since its inception. The certification is important for providers to ensure they’re not only meeting current regulatory and industry best practices, but are prepared to also adopt new ones. Additionally, they should hold all vendors and business associates to the same standard and make HITRUST CSF certification a minimum requirement to demonstrate commitment by all parties to protecting patient data.
Compliance isn’t the goal. While it may be counterintuitive to some, compliance, in and of itself, shouldn’t be the primary goal of attaining the HITRUST CSF. Instead, hospitals and health systems should leverage the framework to operationalize compliance with healthcare regulations and best practices to free up the IT team to focus its efforts on even greater security and efficiency. Hackers are getting smarter and tapping into increasingly sophisticated technology. In such a climate, the best way to protect patient data is to commit to continuous improvement, and HITRUST CSF is a means to hold organizations accountable to that end.
It's a big challenge but helps achieve an important payoff. HITRUST CSF is a time-intensive tool to help those organizations that have already made a significant commitment to information security that enables them to receive recognition for their efforts and stay on track. Compliance is a journey that begins with documenting and understanding the environment; learning and understanding regulatory requirements; completing an internal pre-audit to ensure readiness; identifying remedial tasks that may be required; choosing a reputable audit firm to conduct the official audit; applying for certification; and finally, developing a plan to retain certification. This process will likely take hundreds of hours, and the rigor, collaboration and proactivity the process will have inspired will have made it worth the effort.
There are hidden benefits. HITRUST CSF Certification is such an intensive process, requiring the cooperation of so many departments from the top down, that some hospitals and health systems may enjoy enhanced organizational alignment as just one of many unintended, yet beneficial, results. When given a common framework, departments may be forced to streamline different terminology, protocols and procedures from department to department driving greater efficiency. These other departments will necessarily also gain visibility into IT operations, ensuring increasingly smooth audit and operational processes year over year. Another benefit of HITRUST CSF Certification is access to experts at the organization who may act as trusted advisors and allies helping organizations navigate the waters of compliance with the common goal of ensuring maximum patient and employee data security.
While HITRUST CSF Certification is an impressive achievement, hospitals and health systems should embrace the spirit of the recognition and commit to continuous improvement. For those up to the challenge, complementary resolutions would be to familiarize themselves with the regulatory frameworks from which HITRUST is compiled, participate in peer communities, and if relevant, hold discussions with vendors and/or associates to continuously clarify roles and responsibilities around information security.
Regardless of whether a hospital or a health system chooses to pursue HITRUST CSF Certification, it should recognize its duty to be honest with itself in identifying and addressing sensitive security areas. Only then can it hope to achieve the high levels of protection and data assurance required in a digital world.