HITRUST Certification: Why It Makes Sense For Every Healthcare Organization

                                          
Like most security/privacy executives in the healthcare community, I am not a big fan of audits. The mission of protecting our own information, as well as that entrusted to us by our customers, is a constant challenge. Responding to a series of unexpected and non-standard interruptions also presents additional complexities. Few of us have the time and resources to handle the demands of increasingly frequent and rigorous outside examinations while simultaneously overseeing all of the partners we bring to the table.

Of course, as Managing Director of Corporate Risk, Information Security, and Privacy for a leading healthcare information technology (IT) provider, I recognize that audits are sometimes necessary. As a result, I have taken steps to more effectively respond to those requested by our customers. At the same time, I have put in place measures to limit their impact on the partners and associates from whom we also must obtain assurances.

IS THERE A PRESCRIPTION THAT CAN ADDRESS SUCH A DEMANDING ENVIRONMENT?

Greater Security and Surveillance Requirements. We must be able to respond to an unprecedented array of aggressive security and surveillance measures, such as:

• Increased Regulation – Massachusetts and Nevada are just the latest states to enact or strengthen data security laws, and this trend continues to accelerate as part of a growing movement.
  
  
• Increased Enforcement – The Health Information Technology for Economic and Clinical Health (HITECH) Act provisions of the American Recovery and Reinvestment Act (ARRA) are just the latest in a series of laws targeting the healthcare industry. HITECH also gave additional enforcement powers to each state’s Attorneys General (AG). In February 2010, the AG from Connecticut became the first to invoke these new provisions by filing a lawsuit against a covered entity for violating the Health Insurance Portability and Accountability Act's (HIPAA) provisions.
  
  
• Increased Rigor – Earlier this year, HHS issued new HIPAA Security, Privacy and Breach Notification Rules to clarify outstanding questions and increase rigor. Under the Notice of Proposed Rulemaking (NPRM), both Business Associates (BA) and Covered Entities are obligated to obtain “assurances” that associates and subcontractors have a suitable security/privacy posture. Whether such assurances can be met purely contractually or require actual assessments is a question only the courts can answer. And despite the fact that few of us have the wherewithal to independently evaluate each and every partner with whom we interact, it is clear that increasing expectations and reduced risk appetites on the part of customers and regulators portend the need for all of us to boost program rigor. The recent incident when HHS was compelled to withdraw the breach notification final rule from the Office of Management and Budget (OMB) review to allow for further consideration, suggests that I am not the only one to reach this conclusion.
  
  
• Increased Risk Transference/Reduced Risk Tolerance of Customers – Increasing enforcement levels means that covered entities must ratchet up the oversight of their business associates. Every covered entity for whom we provide hosting services, systems development or business solutions support recently required risk transference revisions to our BA Agreements pursuant to HITECH. We are seeing more and more organizations adopt such risk transference strategies for dealing with the burden of compliance.

Additionally, we had more than two dozen third parties with whom we exchanged information and/or potentially had access to our data as well as the data that we hold in custody on behalf of covered entities (e.g., subcontractors, disaster recovery hotsite vendor, backup tape courier, cleaning crews, etc.). For each of these organizations, we were obligated to conduct evaluations of their security posture which required an additional 1.5 person years of effort to complete.

Greater Customer Demand. Then there is business development and growth. The customers to whom we each provide services are increasingly making greater demands when it comes to their privacy concerns as well as data security. When we launched our Application Service Provider (ASP) hosting services decades ago, few customers asked any security-related questions. Now, I routinely expect to respond to a complex set of security questionnaires. Unfortunately, no two customers share the same exact concerns and consequently no two audits are identical.

WHY ARE HISTORICAL APPROACHES NO LONGER SUFFICIENT?

We have always taken information security and privacy seriously and have built and maintained programs of equal rigor. Unfortunately, the once effective techniques we adopted for demonstrating this to our customers have repeatedly become outdated:

Self Documenting. First, we designed our security program to be “self-documenting” in which evidence of control adherence was produced automatically as a byproduct of following the control process.

Central Repository. Secondly, we built and maintained a “central repository” of evidence to support the hundreds of security control requirements to which we were subject. Initially, this helped lower the effort required to support each individual audit, but not at a rate that could withstand the increase in audit volume.

White Paper. As the volume of audits to which we were subject continued to grow, we opted to publish a 20-page white paper describing all material aspects of our security program. For a while, this approach worked well.

Third-Party Audits. Eventually, it became necessary for us to obtain an outside auditor’s opinion to satisfy customer requirements, with the Statement on Auditing Standards (SAS) No.70 being the one most often requested. Now, we are finding that even the SAS 70 has limited utility because there is no industry-established standard set of controls and thus no “common yardstick” for evaluation or comparison.

WHAT CAN WE LEARN FROM THE PUBLIC SECTOR?

Perhaps it’s time for us in the private sector to adopt a similar model to the one the federal government uses. For our government-sector business, we are subject to various government security legislation and control requirements, the most significant of which is the Federal Information Security Management Act (FISMA) and the National Institute of Standards and Technology (NIST) SP 800-53 respectively. SP800-53 documents the more than 500 individual security controls for federal information systems and organizations. Although this may seem excessive, the benefit is a common set of controls around which all federal agencies have standardized. Based on this we: (1) know what our government customers expect of us; (2) we have a single standard to which we can hold our partners; and (3) we can effectively design our security programs.

WHAT BETTER ALTERNATIVE CAN PRIVATE INSURERS CONSIDER?

For all of its benefits FISMA is not without its limitations, and I am not advocating its adoption in the private sector. That doesn’t mean we shouldn’t have a standard of our own. Have you heard of the Health Information Trust Alliance (HITRUST)? It is a healthcare industry-specific alliance of healthcare, business, technology and information security leaders, led by a seasoned management team and governed by an Executive Council made up of leaders from across the healthcare industry. This body of experts understands the very challenges we’ve been discussing. HITRUST has set the development of the Common Security Framework (CSF) as a major objective, and its security standard is poised to become the pre-eminent benchmark for private-sector health organizations across the country. The CSF is the first information security framework developed specifically for healthcare, and it promises to provide us the benefit of standardization that FISMA has provided to federal agencies:

• Leverage Existing Work – The CSF incorporates and is consistent with other recognized industry standards, such as the International Organization of Standards (ISO), Payment Card Industry (PCI), Federal Trade Commission (FTC) and Control Objective for the Information and Related Technology (CoBIT). Organizations that have already aligned their practices with such standards can be well on their way to leveraging existing best practices.
  
  
• Flexible Model – Unlike other models/frameworks, the CSF recognizes that there is significant variation among the types of organizations in the healthcare space. Differences exist between payers and providers. Even within organizations of the same type, variations exist based on size, scope and organizational maturity. Fortunately, the CSF is an adaptable model that includes standard controls when applicable yet scales to organizations of differing purposes and sizes.
  
  
• Prescriptive Details – There is a lot to be said for the fact that the HIPAA Privacy and Security rules stipulate that covered entities take a risk-based approach to determine what controls are needed. In many cases, though, we have found that there has been too much flexibility and lack of specificity that have created confusion between us, auditors, customers or other third-party groups. This can expose us to increased expenses because of emergency fixes and/or costly rework. Fortunately, the CSF offers prescriptive detail to determine exactly what we need plus clarity in the form of a road map for getting there.

Finally, the HITRUST Alliance has also learned another important lesson for reaching a critical mass of adoption. It offers free CSF access to all registered members of HITRUST Central, its online community for healthcare information security professionals.

WHAT ARE THE BENEFITS OF HITRUST ADOPTION?

As a customer-driven organization, we first became aware of HITRUST and its security model more than a year ago when a customer asked if we had obtained–or were pursuing–certification under the CSF. Since that time, we have become extremely familiar with the model, have now incorporated it into our overall control framework and are actively pursuing certification. We expect to achieve our certification later this year and already are realizing significant benefits, including the following:

• Reduced Audit Fatigue – If you are familiar with HITRUST, you know that audits can become much easier because of the ability to reference a commonly understood control framework. Now, all concerned parties can “speak the same language.” 
  
  
• Higher Participation Rates – Although few private healthcare organizations concern themselves with FISMA directly, quite a few covered entities/BAs and third parties may already have FISMA- compliant security programs. The existence of a FISMA-CSF mapping makes for easier alignment and increased adoption rates by our partners.  
  
  
• Increased Third-party/Partner/BA Accountability – You can reduce the workload required to vet your BA and third-party security/privacy programs by including language in your contracts that requests these organizations pursue certification under HITRUST. This will make it far easier and less costly to verify that they are organizations with whom you can do business.
  
  
• Easier to Conduct Business – For every partner that adopts HITRUST, it means one less audit you have to conduct and one less audit response that your partners must make. The real value, however, comes with the second, third and additional requests thereafter. Once an organization obtains its annual certification under the CSF, it can satisfy the requirements of every additional business partner who recognizes the value of the CSF as a “trust bridge,” with little to no additional effort.
  
  
• Better Use of Limited Resources – Ask your external auditor if he/she is a HITRUST Assessor. If so, you may be able to save yourself the cost of multiple individual audits. With SAS 70, we have adopted the CSF controls as our “yardstick,” which means we get both SAS 70 and HITRUST Certification at the same time for only a modest increment over the price of a single audit. Better still, you probably can work in FISMA, PCI or other standards as well.

A FINAL THOUGHT

Even though we may have a way to go until the CSF becomes the universally accepted healthcare security standard, the more of us who adopt it, the better we will be because we will spend more time actually managing risk rather than reporting on it!