In America’s celebrity culture, it is easy to become famous. If you are a hospital system whose tablets might be leaking sensitive patient data, or an insurer whose cloud provider has suspect network security controls, a resulting breach might land you on the Office of Civil Rights “Wall of Shame” — the Department of Health and Human Services website that publicly lists such breaches.
What’s scarier is that those posted breaches represent only the tip of the iceberg. HHS estimates that the 57,000-plus reports of breaches represent less than 1 percent of those that happened from September 2009 through May 31, 2012. That’s a considerable amount of data leakage despite all the federal regulations in place that prohibit it. Now consider the move to a digitized system of electronic health records (EHRs), and an explosion of data on networked cloud and mobile devices, and it is a recipe for a multi-fold increase in vulnerabilities.
For good reason there are heightened concerns around health data privacy and security: personal health information is worth 50 times more to thieves than credit card or Social Security numbers, and the FBI estimates that healthcare fraud costs the country an estimated $80 billion a year. So, how can healthcare organizations facing a proliferation of regulations, like HIPAA, HITECH and business associate requirements, reconcile all these data security demands while contending with these emerging new electronic risks?
How HITRUST Works
One reaction came from President Obama, whose February 2013 Executive Order calls for developing voluntary cybersecurity standards for critical parts of the private sector. Fortunately, the healthcare industry set those wheels in motion nearly six years ago, and the result is the HITRUST “Common Security Framework” — the most comprehensive and rigorous approach for healthcare organizations to ensure information privacy and security, while harmonizing these compliance requirements. This Common Security Framework (CSF) was borne out of the HITRUST Alliance, a consortium of healthcare institutions, including Humana, McKesson, Highmark and security and healthcare experts who united to standardize a higher level of security that would build greater trust in the electronic flow of information through the healthcare system.
To appreciate the HITRUST CSF, consider the two-fold challenge it helps organizations fulfill: the regulatory matter of complying with federal regulations and the practical matter of becoming a secure organization. One does not confer to the other. HIPAA was the first federal law to mandate standards to protect the privacy and security of health information, and was later strengthened by the HITECH Act by increasing the obligations around data breach notification and penalties associated with these occurrences. These laws place the onus of compliance on the shoulders of “covered entities” and by extension, their “business associates” or suppliers that come into contact with electronic Protected Health Information (ePHI).
Regulations, like HITECH and the newly updated HIPAA Omnibus Privacy & Security rules, focus on enforcement at the policy level. But understand: these policies and regulations, on their own, do very little to prevent hackers or rogue employees from stealing information. What has been missing for organizations that create, store and share health information has been the nuts and bolts guidance on how healthcare technical systems and data can be secured. The HITRUST CSF was created for that purpose; to provide organizations — whether hospitals, insurers, medical labs or cloud service providers — with a robust, cost effective set of security controls to both fulfill the compliance demands and harden their systems.