HITRUST & Data Security - A Three Part Series
I've spent more than 20 years in IT leadership positions and more than 15 years managing global IT infrastructure, cybersecurity, and operations. During six of those years, I served as a CIO in the healthcare technology industry where I was responsible for protecting millions of patients' records. Like many in similar positions, I've witnessed the increased focus on data privacy, the never ending attacks on and theft of personal health information, and their impact on costs overall, especially insurance. This blog is the first in a three part series (Part 2, Part 3) discussing the Health Information Trust Alliance (HITRUST) certification, why it is essential for any business that stores and processes personal health information, and how a cloud-native data security solution accelerates and lowers the cost of achieving certification.
The Emergence of Regulation and Certification
Regulations are born out of a need for protection. For the healthcare sector, the birth of the Health Insurance Portability and Accountability Act (HIPAA) signaled the first federal mandate for data privacy and security regulations for safeguarding medical information. HIPAA was introduced in 1996, a time when few could predict the cybersecurity threats that would later emerge impacting not only patient privacy, but patient care itself.
As time progressed, data leaks and breaches became more prevalent which increased pressure on organizations to both reduce risk and ensure trust when storing and processing health related data. Contrary to popular belief, there is no HIPAA certification. To prove that an organization is adhering to best practices concerning protecting patient data, the community created the HITRUST Common Security Framework (HITRUST CSF). HITRUST CSF, or HITRUST, is a certifiable security and privacy framework with a list of prescriptive controls that are used to demonstrate HIPAA compliance.
The cost of achieving HITRUST certification depends heavily on the size, complexity and risk profile of the environment. The number of systems, total number of records, along with the security profile maturity impact the overall cost and time necessary to certify. Based on one’s risk profile, between 400 and 1,800 controls must be implemented and tested to achieve certification.
For a small organizations with a lower-risk profile, the fee to HITRUST will be range from $6K to $15K while the fee to the third-party assessor will be around $30K. For larger organizations with a higher risk profile, the total costs will be much higher and can exceed over $150K.
None of those costs listed above include the indirect costs to IT and cybersecurity teams in terms of impacts to productivity. Considering the 400 to 1,800 controls necessary, each of those controls take time to test to prove compliance. Considering the high salaries of IT and cybersecurity teams, the labor and indirect costs of the audit can far exceed the total costs for HITRUST and a third-party assessor. Rarely do organizations employ teams dedicated to HITRUST. That means IT and cybersecurity teams must balance not only their daily duties, but the overhead of audit to prove compliance for certification. In addition, organizations must recertify every 2 years, with a mini-assessment scheduled each intervening year. Each of those mini-assessment serves as an annual audit.
The Need for Data Inventory
One area where companies often struggle in getting their HITRUST certification is in regards to their data inventory. Organizations often store as much healthcare data as they can for as long as they can. This often goes beyond any data retention regulations necessary in hopes of somehow and someday monetizing that data.
Across all verticals, data is viewed as the new oil; something valuable if refined and used. But data much like oil, can become toxic or even dangerous to an environment if stored incorrectly. Data storage often goes across multiple systems and sometimes more than one data center or cloud provider. Often that data has been stored for years and those that architected the original solution have long exited the organization. Even worse, some organizations may not fully understand where all of their healthcare-related data is stored.
Having solutions where one may more easily compile data inventory can heavily reduce the overall time and cost needed for HITRUST certification. This allows for greater focus on controls that need remediation prior to certification. Reducing the time needed to identify data, can reduce the overall cost of certification. It can also focus greater protection around that data. Healthcare data is a high profile target for cyber criminals so knowing where that data is located can focus your teams to provide more vigilance and protective measures.
HITRUST as Table stakes
Cyberattacks against healthcare targets have risen sharply in the last few years. Rarely a week goes by where news of a healthcare provider being disrupted by a distributed denial of service (DDoS) or ransomware attack that disrupts the facilities’ ability to provide patient care. Those impacts to patient care are far more than just inconvenient, but could have deadly ramifications to critical care patients. Aside from dangerously disruptive cyber threats, the loss of patient records not only results in negative financial impacts to a healthcare organization but erodes patient trust in their healthcare providers. Reducing patient trust isn’t something easily corrected and can drive patients to seek other providers.
I believe in the next few years, becoming HITRUST certified will become table stakes for companies processing and storing health related data. While we may be several years away from more stringent regulations in a revised HIPAA, the dramatic increase in the costs of cyber insurance along with patient demands for great protection will force organizations to become HITRUST certified.
Not being certified may become too costly for organizations to compete in the space. Organizations that embrace HITRUST may also find it to be a competitive advantage and differentiate themselves in a sector being heavily disrupted by startups and emerging private equity backed players.