Healthcare organizations must navigate a thick web of data security, privacy, and risk management. The variety of standards, overlapping or inconsistent regulations and ongoing legislation add layers of complexity unique to healthcare sector data security.
In response to this challenge, a few dominant industry players formed the Health Information Trust Alliance and adapted disparate standards, multi-jurisdictional regulations, and diverse best practice methodologies specifically to healthcare. The Common Security Framework (CSF) they developed is now the standard for information security. With the CSF, HITRUST drives the “heavy lifting” that many organizations don’t have the resources to perform.
Determining appropriate levels of due diligence and specific safeguards to implement requires a comprehensive risk analysis consisting of:
- A threat and vulnerability analysis;
- An information valuation;
- A defined set of information and privacy security controls addressing the risk factors outlined in the risk threat and vulnerability analysis (often referred to as “threat modeling).
An internal risk analysis must also be cost effective and provide the organization an acceptable level of security. Such an analysis drains the resources of most organizations beyond what is reasonably possible. The solution for many is adoption of an external Risk Management Framework (RMF). The NIST RMF, for example, provides structure and guidance helping federal agencies assess and reduce the risk to their information systems.
As stated in this whitepaper, the HITRUST RMF represents a “fundamental and holistic change in the way industry manages information security and privacy-related risk by rationalizing relevant regulations and standards into a single overarching framework designed for industry and tailorable to an organization”.
For FRG, achieving HITRUST certification is a crucial step to continually meet the demands of our customers and our guiding principles as a company.
Preparing for HITRUST Security Certification
In the following Q and A, Erich Beyer, our Security and Compliance Director, outlines how we prepared for HITRUST certification, the challenges we faced in application, and why HITRUST is important to us, our clients, and the healthcare industry as a whole.
What standards are you required to meet as a small business?
Many of our clients require a SOC2 report and HITRUST certification. One of the main benefits of HITRUST certification is that it specifies its requirements on a case-by-case basis. Using criteria measuring risk, the size of the organization, and other parameters, HITRUST determines security controls and standards appropriate for each organization. These requirements are prescriptive but manageable.
What is the role of an external accessor in preparing for HITRUST Certification?
As with any credible certification framework, third-party verification and assessment are key. Independent verification is useful to reassure HITRUST that its requirements are met. There are multiple layers of assessment. These range from self-assessment questionnaires to onsite testing and analysis done by an independent CSF Assessor.
The assessor performs a random follow-up assessment a year after certification. The assessor also acts as a trusted advisor to help us maintain our specified requirements based on the HITRUST CSF.
What security checks/tasks are performed on a short-term regular basis (daily, weekly, monthly)? What reassessments are performed long-term (yearly)?
The CSF defines many tasks to perform. Broadly considered, these include weekly audit log reviews, monthly vulnerability scans, quarterly access rights reviews, and an annual risk assessment.
What challenges did FRG face in applying for HITRUST certification?
As you may expect, achieving HITRUST certification is a complex, if worthwhile, endeavor. It is an involved, resource-intensive process requiring a significant expenditure of time, management, effort, and financial outlay.
Some requirements are very complex, requiring process changes or implementing entirely new processes. This is challenging for any company with long-established standard operating procedures. For a small business, this is especially true.
How long did it take to prepare for HITRUST certification?
In all, nearly 10 months. Some requirements were already met but required proof of compliance. For others we put new processes and tools in place. The independent assessment was valuable, and it made us stronger and more resilient.
Looking at recent data breaches, how is FRG doing it better?
Data security has always been at the heart of what we do. Adding HITRUST certification is another level of assurance for our clients.
Phishing remains one of the biggest risk factors leading to a data breach. If a phishing attack is successful, it opens the door to ransomware and other data breaches. As we’ve discussed in Bolstering Healthcare Information Security, Part 2, employee training and awareness are among the most essential means of defense. Especially for phishing and ransomware attacks.
FRG takes an “as if” approach; assuming as if it is happening. This defensive stance keeps our guard up. We have a tested plan in place and know how to immediately respond to an attack. We test that plan annually and modify it as needed.
Our employee training and awareness program includes training videos all new employees must watch. We cover many topics but focus particularly on phishing as this is such a critical vulnerability if not properly addressed. All employees have monthly awareness sessions with new videos covering the latest developments. We also encourage employees to come to us with any questions about data security, “phishy” emails, or any other data and privacy concerns they have.
Many recently publicized breaches bear the need for continued vigilance which we discuss in Bolstering Healthcare Information Security, Part 1. Take the massive 2017 Equifax data breach for example. From May through July of that year, the personal information of some 143 million people was exposed in a “website application vulnerability”. FRG doesn’t carry the same risk of exposure to millions of data records, but the message for us is clear. We must always do better, never become complacent, and constantly enforce the latest cutting-edge security controls to fully protect our clients’ data.
We believe, as expressed in the HITRUST website, that “information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”
HITRUST certification is not, in and of itself, our security program. It is an important component of our whole program that helps us continually evolve our systems, procedures, tools, and processes.
The reality for all healthcare related organizations is that we are all targets. We will always remain vigilant to evolving threats.