HIPAA carries a lot of weight, but it is merely a set of guidelines that healthcare companies (and technology providers who work with them) must follow when handling Patient Health Information (PHI). For people imagining a team of inspectors showing up unannounced to offices worldwide for a surprise checkup, or to administer a results-oriented audit before gaining compliance, know that this isn’t the case when it comes to HIPAA.
In fact, the lack of any official certifying entity makes it possible for businesses handling PHI to give themselves a badge of compliance based on their technology and processes alone. A HIPAA icon found on a healthcare provider’s or security vendor’s website is not meaningless, however. These organizations know penalties from the Office for Civil Rights (OCR) pack a rightfully devastating punch, and so they must invest in the song and dance of showing they have the power to protect PHI, even without proof that their systems are actually doing so.
Despite the superficial nature of HIPAA compliance, providers are still under pressure to “prove” that they have a clean bill of health when it comes to the guidelines. They can currently do this via self-assessments involving documentation of access policies, technology settings, employee standard operating procedure manuals, backups and more. Compliance is a necessary effort for providers, but because the result of these settings and technologies lives on paper alone, patients don’t realize HIPAA doesn’t provide as much value as it should.
Entities like HITRUST have sprouted up to deal with this gap by both using technology to proactively and reactively enforcing HIPAA compliance, and to help providers make it a core pillar of their operational success rather than an obstacle to it. The tools available today enable risk management and PHI security to be vital for healthcare providers, and HITRUST takes full advantage. It is designed to strengthen the foundations of information security and make compliance easier to achieve than ever. But how?
What is HITRUST?
While HIPAA is a solid framework for protecting medical records, and gives patients privacy regarding who can gain access to their information, it is also subjective on the part of providers. HITRUST is not simply a template that allows healthcare providers to say all the right things regarding their compliance – it goes beyond this. Technically, HITRUST is the group that built and continues to manage the CSF, or Common Security Framework, which is both certifiable and combines multiple different compliance models including HIPAA, notably, but also PSI, ISO, NIST, FTC, COBIT and others.
According to the HITRUST website, it is “a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.”
The approach taken by HITRUST is simple yet thorough. Crucially, a HITRUST certified provider is also a HIPAA certified provider, and can offer more than a hollow pledge to follow the rules sans any audit to see that the security controls put in place are actually working. To maintain HITRUST compliance requirements, an organization can choose to self-assess or complete a third-party audit, but either way it must pass all 19 parts of the CSF test every two years:
- Healthcare Data Protection & Privacy
- Information Protection
- Wireless Protection
- Transmission Protection
- Network Protection
- Endpoint Protection
- Portable Media Security
- Mobile Device Security
- Third Party Security
- Physical & Environmental Security
- Configuration Management
- Vulnerability Management
- Password Management
- Incident Management
- Risk Management
- Access Control
- Audit Logging & Monitoring
- Education, Training & Awareness
- Business Continuity Management & Disaster Recovery
With each idea outlined in the CSF, providers have a bolder template to follow, which makes preparing for the whole gamut of required certifications less of a guessing game. Medical practices and healthcare providers are therefore able to unify their compliance efforts with one process, and guarantee protection for their patients rather than offer a mere promise. Thankfully, unification is also occurring in the security industry, lowering the barrier to compliance even further.
Unified Security Models a Must
To give providers peace of mind over their compliance, HITRUST’s universal security framework is complemented by security vendors that take a similarly consolidated approach. While no single security vendor is yet able to deliver total CSF compliance, this is the direction the industry is heading. Network as a Service, for example, empowers providers to deploy network and security tools in an integrated manner with existing local and cloud resources. Consuming just one product for both access management and data security tools makes it much easier for would-be compliant companies to quickly pass multiple sections of their CSF audit.
With both security technologies and compliance frameworks aligned in their increasing simplicity, providers will soon be rid of their confusion over compliance. Most important, however, is that those who see a HITRUST compliance badge can be confident that the healthcare they receive employs the most up-to-date, and proven data security tools. This will encourage a more accountable healthcare sector, and prevent the all-too-common idea of a PHI breach from impacting the trust between patients and practices.