Managing Cyber Risk in Health Care

When Anthem, the second largest insurance provider in the United States, revealed recently that its records had been compromised by hackers — resulting in the possible leaking of personal data of more than 80 million present and former customers — the incident became a much-needed wake-up call for the health care industry.

Unfortunately, Anthem is not the first company to experience a major data breach in the past 18 months. In 2014 alone, customer data, credit card information and intellectual property were stolen from Target, Home Depot, JPMorgan Chase, Sony Pictures and many others.  What recent history has taught us is that hackers are becoming more sophisticated, attacks are becoming more malicious and no industry or organization is invulnerable.

The public has moved on from asking, “How did this happen?” to asking, “Why does this keep happening?” The attention on privacy rights coupled with the growing costs of major data breaches are elevating the issue of managing the digital enterprise to the board level.

Increasingly, health organizations are looking to minimize their risks and reduce costs by hosting and managing data with third parties. In the battle to win, serve and retain customers, data security and privacy are becoming key differentiators and thus, a top business priority.

Service organizations that move beyond basic compliance measures and can demonstrate data-centric security infrastructures are poised for rapid growth over the next few years. Those companies will take into careful consideration choices for health care compliance efforts, as well as what security gaps are left after compliance efforts are met and how those gaps can be managed

HIPAA and HITRUST: Meeting Compliance Mandates for Health Care

For organizations looking to establish privacy as a competitive differentiator, they may find themselves stumbling through a maze of evolving and conflicting global privacy laws, business partner mandates and compliance mandates. Organizations are at a crossroads when deciding on the proper course of action for compliance with regulations applicable to the health care industry and how to manage risk to the security of sensitive health information.

What is HIPAA?

When it comes to data protection, the HIPAA Security Rule is comprised of three types of safeguards, all of which are designed to protect electronic protected health information (ePHI):

• Administrative Safeguards: Encompassing over half of the HIPAA Security Rule, Administrative Safeguards define the policies and standard operating procedures for how organizations must comply.
• Physical Safeguards: Simply put, these safeguards identify how an organization will control physical access to locations where ePHI resides.
• Technical Safeguards: When properly implemented, these preventative-type controls protect access to ePHI through the use of unique user accounts, automatic account logoff and user authentication, for example.

In addition to the above safeguards, companies that provide services to health organizations have additional requirements for organizational controls and policy and procedure documentation.

HIPAA is a federal government mandate and provides a basic compliance rule book, but experienced providers looking for an actionable roadmap to securing access and exchange of patient data often take the next step to obtain a HITRUST audit.

What is HITRUST?

The Health Information Trust Alliance, or HITRUST, is an organization gaining rapid awareness and credibility in the health care industry. Developed by health care and IT professionals, HITRUST’s Common Security Framework (CSF) helps health care organizations and business associates safeguard patient information through a more robust and prescriptive manner than a HIPAA Privacy or Security Rule assessment. Additionally, the framework also harmonizes other frameworks and regulatory compliance areas into a single framework that scales to organizational size and complexity. For these reasons and due to the amount of rigor associated with achieving HITRUST certification, it is often referred to as the “high-bar” for HIPAA compliance.

When you consider that virtually every health care service organization has more than one compliance obligation, the advantages of a HITRUST assessment become clear. Requirements for HITRUST can be translated and cross-referenced into multiple regulations and frameworks, including HIPAA, NIST, ISO, PCI, FTC Red Flag, and COBIT.

Considering the Difference Between Compliance Risks and Security Risks

Since the release of the HIPAA Privacy and Security Rules, health care organizations and their business associates have struggled to comply. While HIPAA is the federal mandate, HITRUST offers an appealing alternative to compliance in a more holistic and prescriptive manner.   By doing so, organizations can overcome the majority of criticisms of HIPAA compliance, including the fact that the regulation is nearly 20 years old and is difficult to interpret. Relying merely on HIPAA compliance leaves gaps in an organization’s IT security posture, even when the mandate is believed to have been met.

When it comes to compliance, the world of health care technology can be convoluted. HITRUST certification simplifies compliance by offering providers a tailored set of controls, founded on the expertise and best practices of leading health care IT experts.

HITRUST offers clarity and guidance to these challenges by providing the health care industry with a certifiable framework that incorporates and cross references the requirements of existing standards and regulations while considering organizational risk, including cyber risk. Certified HITRUST CSF assessors, their clients, and the industry as a whole now benefit from an industry-wide methodology that simplifies compliance through a common control, assessment and reporting structure. This allows service organizations of all sizes to become certified and spend less time worrying about compliance and more time focused on improving patient care.