Guest Column | September 21, 2017

Avoid These Common HITRUST Compliance Mistake0073

Pitfalls To Avoid In The Healthcare Market

By Jenifer Rees, Principal Quality Engineering Consultant and Andrew Hosch, security and development groups, Base2 Solutions

Healthcare data security is more important now than ever. The data breaches in healthcare totaled more than 16-million records in 2016 alone, and healthcare organizations remain an appealing target for hackers looking for sensitive information.

In order to keep data secure, these organizations must comply with HIPAA regulations, ideally through Health Information Trust (HITRUST) for comprehensive protection. Because HIPAA regulations are often vague, compliance mistakes are a common occurrence.

To improve cyber resiliency, follow these steps to avoid some common HITRUST compliance mistakes.

1. Don’t Skip Risk Assessment

HIPAA requires all organizations to conduct risk analyses, because they are essential for finding vulnerable areas within security systems, evaluating risk levels and applying sufficient safeguards. When updating security measures, a risk assessment is much more than just a preliminary step: it is the groundwork for all the changes that will make an organization safer.

It’s also not possible to simply perform one risk assessment and call it a day. As an organization changes and grows, it must continue to perform risk assessments to ensure security levels continue to adequately protect patients.

2. Don’t Duplicate Compliance Efforts

Many organizations that are trying to keep up with HIPAA also need to worry about Payment Card Industry (PCI) compliance as well, and the two different sets of rules are often treated as different initiatives within a bureaucracy. However, they have many rules and requirements in common, so in order to streamline efforts, make sure to evaluate and implement them together.

3. If An Emergency Occurs, Use An Incident Response Plan

Believe it or not, some organizations develop incident response plans to be activated in case of a data breach, but don’t utilize the plan once a breach occurs.

During an emergency, it’s easy to panic and forget that there are safeguards in place to protect the organization. Instead, make sure to not only follow the plan and help minimize the damage before it’s too late, but also practice the plan to be fully prepared in the event of a breach.

If no incident response plan is in place, create one as part of any new security measures.

In order to efficiently comply with HIPAA regulations through HITRUST, start with an independent CSF assessor, which can help evaluate your organization’s current level of compliance and make the transition as easy as possible.

About The Authors
Jenifer Rees, a Principal Quality Engineering Consultant for Seattle-based Base2 Solutions, is a Certified CSF Practitioner (CCSFP) CSSLP, (ISC)². She is a skilled Security Engineer with demonstrated security competency within the software development lifecycle

Andrew Hosch runs the security and development groups at Base2 Solutions and is a Certified CSF Practitioner (CCSFP) Certified Nessus Auditor, CWATP, CISSP, (ISC)². He is a veteran IT Operations Director and Technologist experienced in aerospace systems integration, technology strategy, and leading QA, Security, and IT teams.