Guest Column | September 5, 2017

HITRUST In Action: How Healthcare Organizations Use HITRUST To Protect Patients And Beyond

rare disease, patient voice

By Jenifer Rees, Principal Quality Engineering Consultant and Andrew Hosch, security and development groups, Base2 Solutions

Keeping data safe has become complicated process in the last few years. In 2016, the United States faced a 40-percent increase in data breaches compared to 2015 – exposing social security numbers, addresses and more. It’s also important to note the 320-percent increase in healthcare providers victimized by hackers, according to Redspin’s most recent annual cybersecurity report.

This information may be surprising, but it can also empower leaders to make smart decisions to protect their healthcare organization. This is why the Health Information Trust (HITRUST) should be front of mind among healthcare institutions large and small. HITRUST is the most widely adopted security framework in the United States health industry. And there’s a simple reason for this: It works.

The HITRUST Alliance has assisted healthcare organizations to meet HIPAA’s security requirements for over a decade. HITRUST’s security framework – developed and approved by IT and healthcare professionals – serves as a watchdog among the entire healthcare industry by ensuring health-related organizations meet compliance measures to properly secure protected health information. And while HITRUST protects private patient health records, its level of protection is actually wider in scope than some in the healthcare industry may realize.

HITRUST Protects Your Patients

Patients expect their personal information to remain both private and secure, but that doesn’t always happen. The previously mentioned Redspin 2016 annual breach report reveals that in 2016 alone, 16,612,985 individual patient records were compromised in large, large-scale protected health information data breaches.

However, some organizations still might not be aware of how HITRUST works to combat these attacks. In sum, HITRUST – as a common security framework (CSF) –ensures patient personal information does, in fact, remain private and secure. When a healthcare organization’s partner or vendor has engaged in a HITRUST assessment and certification, this means there are a multitude of comprehensive security standards and regulations in place.

While HITRUST’s security framework is needed for a healthcare organization’s third-party vendors to ensure patients’ information is being properly protected, HITRUST’s benefits go beyond patient care.

HITRUST Protects Your Healthcare Organization

Even if an organization is already compliant, it doesn’t guarantee every company they partner with is. Every vendor partner working with patient records will handle private information. To protect the handling of such secure data, HITRUST streamlines the security check process for all parties involved – both for outside vendors in need of compliance regulations, as well as for an organization’s already compliant team. Standardizations become uniform for all, and consistency among data security and patient privacy practices become common practice.

Making a commitment to only using the services of HITRUST-certified third-party vendors certainly means patient information is being well cared for, but it also adds to the credibility of an institution at-large as well. A partner’s HITRUST certification means no longer spending countless days/weeks/months vetting the ins and outs of an outside company before proceeding with a business arrangement. An independent certified HITRUST assessor like Base2 can ease this burden and perform the vetting for all parties.

Managing Risk Starts With You

The Internet of Things (IoT) has changed the way data functions in every modern healthcare organization.

A host of medical devices, such as glucometers, heart rate monitors, blood pressure monitors, and even thermometers, are often connected to each other and to online applications. This allows for a more extensive approach to healthcare, but it also leaves a great deal of data vulnerable to hackers.

With IoT devices seemingly flooded into nearly every part one’s day-to-day life, and data breaches on the rise, hospitals are in need of comprehensive approaches to managing risk – but it’s not just the IT team’s responsibility.

Redspin’s recent report concludes by reminding healthcare professionals that healthcare cybersecurity is everyone’s responsibility: “No longer the purview of IT, it is a cross-functional issue with far-ranging implications on operations, finance, legal, HR, procurement, reputation, and most importantly, patient care.”

To ensure an organization’s data is secure, it’s imperative all vendors and associates are HIPAA compliant, which can be demonstrated with a HITRUST certification. This means making sure all labs and vendors are HITRUST certified.

As purchasing teams are evaluating vendors, consider the possibility of adding an additional level of security, which can be achieved by working with an independent CSF assessor to help determine a partner’s level of compliance through a variety of third-party validated assessments.

About The Authors
Jenifer Rees, a Principal Quality Engineering Consultant for Seattle-based Base2 Solutions, is a Certified CSF Practitioner (CCSFP) CSSLP, (ISC)². She is a skilled Security Engineer with demonstrated security competency within the software development lifecycle

Andrew Hosch runs the security and development groups at Base2 Solutions and is a Certified CSF Practitioner (CCSFP) Certified Nessus Auditor, CWATP, CISSP, (ISC)². He is a veteran IT Operations Director and Technologist experienced in aerospace systems integration, technology strategy, and leading QA, Security, and IT teams.