Securing healthcare data – whether stored or transmitted – has become more critical and complex in today’s world. Add to the mix federal, state and third-party requirements, hackers intent on causing harm, and the complexity grows.
HIPAA is the basic compliance requirement for healthcare organizations, which requires them to ensure confidentiality, integrity and availability of data created, received, maintained or transmitted by the organization. It also requires those organizations provide reasonable protection against threats to that data.
The problem arises from a lack of a roadmap to help organizations reach HIPAA compliance. For example, guidelines from HIPAA do not provide specific and reliable directions for providers and following the guidelines does not offer a guarantee that data is protected. Following HIPAA guidelines leaves to interpretation “reasonable and appropriate” protections.
To help address these issues, the Health Information Trust Alliance (HITRUST), developed by healthcare and IT professionals, established a Common Security Framework (CSF) that provides organizations a structure they can follow to manage the security requirements of HIPAA. But HITRUST also integrates requirements from other regulations and standards, including NIST, ISO 27001, PCI DSS and COBIT.
In plain language, HITRUST CSF is one standard built from the other regulations and standards that hospitals, medical practices and others in the healthcare industry are required to meet for data security and compliance. It also incorporates principles into the process that evaluate compliance and security risk of an organization’s data.
Besides incorporating standards and regulations and reducing the risk of noncompliance with HIPAA, HITRUST CSF:
- Scales according to the organization’s size, type and complexity
- Provides clear, actionable guidelines
- Evolves according to needs and changes in both the healthcare industry and the regulatory environment
The process can be time consuming and requires IT personnel that are HITRUST certified assessors, which in most cases, means hiring third party vendors who not only can handle the HITRUST Verified Assessment, but also can help organizations prepare for the assessment to ensure they are ready for certification. Assessments are quite involved and on a rigid timeline that must be met to fulfill the requirements for certification.
Because of the in-depth and demanding requirements to meet HITRUST certification, there are tools organizations can take advantage of to prepare, including a self-assessment to help them understand where they are and prepare any required documents possible prior to the HITRUST CSF Validated Assessment.
A third-party HITRUST certified assessor can walk an organization through the self-assessment process to help complete certification in a HITRUST CSF Validated Assessment. Because the assessor knows what to look for from HITRUST CSF, they can help identify any gaps as well as documentation that will be needed prior to embarking on a HITRUST CSF Validated Assessment. This also will help once into the assessment for other required documentation since much of the information has been identified and gathered.
The area where most organizations fall short is in documentation, according to Mike Wion, cyber security sales executive for TECH LOCK, Troy, Mich. Security Policies, Incident Response Plans, Security Awareness Programs, along with others, are fundamental to all compliance initiatives. He explained that with the time constraints of the HITRUST CSF Validated Assessment and the required documentation, there may not be enough time to complete the requirements during the certification process if the organization has not prepared ahead of time.
HITRUST Certification Benefits
Using HITRUST can save time and money since one assessment can generate multiple reports that address the various regulations and requirements. The most important benefits, however, are certifying that an organization, no matter size, is meeting compliance requirements, especially for HIPAA.
Protecting consumer healthcare information is vital for the industry, and if not handled appropriately can result in costs far greater than the assessment time and fees, including penalties and loss of business once trust has been compromised.
TECH LOCK has seven HITRUST assessors on staff handling HITRUST CSF Validated Assessments, self-assessments, as well as one-on-one consulting. TECH LOCK is not only HITRUST accredited as a third-party assessment organization, it also is a PCI approved scanning vendor and PCI qualified security assessor. For more information, contact TECH LOCK by clicking here.