HITRUST Certification — A Rigorous Process Well Worth The Effort

By Jay Llewellyn, AMC Health

Data breaches and security continue to be a top issue in the healthcare industry. A recent RSA Data Privacy Report reported that 59 percent of the 7500 respondents were concerned about their medical data being compromised and for good reason: the healthcare industry continues to be a prime target for hackers.

Why is this the case? The obvious answer is that most healthcare organizations are managing large amounts of sensitive electronic health and financial data. Hackers understand that they could be possibly putting patient care at risk, making healthcare providers more likely to negotiate ransomware when their systems are hacked. Additionally, the industry’s reliance on technology has significantly increased in recent years. Medical IoT devices such as those offered by telehealth programs are improving access to healthcare through devices connected to patients’ homes to track biometrics such as blood glucose, weight and blood pressure. While all positive improvements, they also leave data vulnerable to hackers.

Due to these concerns and other factors such as customer demand, obtaining Health Information Trust Assurance (HITRUST) certification has become a priority for healthcare providers and vendors. Since there is no true HIPAA (Health Insurance Portability and Accountability Act) certification, the only way to prove HIPAA compliance is to go through a 3rd party auditing authority with HITRUST.

What Is HITRUST Certification?

The HITRUST Common Security Framework (CSF) provides a prescriptive framework for managing the security requirements inherent in HIPAA and seeks to eliminate the variabilities and wasted resources common in healthcare compliance. It offers organizations a benchmark from which they can measure and manage their own compliance – while offering proven protection to their customers and partners. In addition, healthcare organizations can use this unified compliance framework to support multiple regulations such as HIPAA, HITECH (Health Information Technology for Economic and Clinical Health Act) in a single framework that combines standards for efficiency. Achieving HITRUST certification is a daunting task, yet one that offers many benefits both externally and internally for customers, partners, and your own organization.

Overview Of The Process

While HITRUST certification affects all employees, the most senior information security person usually leads the charge. Eventually this committee will expand to include IT, HR, Software Development, Marketing, Quality and all departments in your company. The first step is to perform a self-assessment of your company to evaluate your compliance with each HITRUST requirement. There are 19 categories of control requirements that range in size, complexity and regulatory factors impacting your company.

Next you will need to identify any gaps that must be addressed and develop a corrective plan to close those gaps. One of the most common gaps for organizations is the need to make updates to their Business Continuity & Disaster Recovery security frameworks. This involves not only putting in place certain disaster recovery processes, but making sure that all policies and procedures are documented to meet certification requirements. Another common gap is having a comprehensive Audit Logging & Monitoring system. This includes having policies and documentation in place on what should be logged in and then how you will protect the log information. A third common gap is around Configuration Management which focuses on compliance with security standards and on operational software. To meet the HITRUST requirement, organizations must provide evidence of comprehensive governance, process definition and adherence, configuration management, change management and Incident Management to include Disaster Recover and Business Continuity.

Once you have addressed your company’s gaps the next step is to engage with an independent auditing firm to assess your organization’s compliance with the HITRUST. These third party assessments are mandated by HITRUST and require a report and certification of an organization. The auditor will review the content used to for the HITRUST CSF for your organization, and provide additional direction to help the process. This includes helping you to understand what evidence is required, work with you to set your baseline configuration, and assist you with uploading the evidence.

The HITRUST Alliance then evaluates the assessor's analysis and report prior to implementing certification. Once the necessary information has been verified, it can be submitted for certification by HITRUST.

Reaping The Benefits

HITRUST certification is an arduous process but the benefits are immense. It provides a prescriptive approach that reduces complexity, risk and cost while protecting sensitive patient data. One of the biggest internal paybacks is that it dramatically decreases your organization’s variability. Variation is undesirable in the workplace because it creates uncertainty to produce a desired outcome. Predictable results come from consistency. HITRUST creates the environment for consistency to occur and as a result will decrease the stress level in your company while increasing productivity because people can focus on their jobs and not putting out fires. Yet the most compelling advantage relates to your credibility to customers and partners. A third-party certification that addresses all of the security aspects of HIPAA provides peace of mind to all those that engage with your organization knowing that it has taken the provable steps necessary to protect sensitive information.