No More into the Breach

In America’s celebrity culture, it is easy to become famous. If you are a hospital system whose tablets might be leaking sensitive patient data, or an insurer whose cloud provider has suspect network security controls, a resulting breach might land you on the Office of Civil Rights “Wall of Shame” — the Department of Health and Human Services website that publicly lists such breaches.

What’s scarier is that those posted breaches represent only the tip of the iceberg. HHS estimates that the 57,000-plus reports of breaches represent less than 1 percent of those that happened from September 2009 through May 31, 2012. That’s a considerable amount of data leakage despite all the federal regulations in place that prohibit it. Now consider the move to a digitized system of electronic health records (EHRs), and an explosion of data on networked cloud and mobile devices, and it is a recipe for a multi-fold increase in vulnerabilities.

For good reason there are heightened concerns around health data privacy and security: personal health information is worth 50 times more to thieves than credit card or Social Security numbers, and the FBI estimates that healthcare fraud costs the country an estimated $80 billion a year. So, how can healthcare organizations facing a proliferation of regulations, like HIPAA, HITECH and business associate requirements, reconcile all these data security demands while contending with these emerging new electronic risks?



One reaction came from President Obama, whose February 2013 Executive Order calls for developing voluntary cybersecurity standards for critical parts of the private sector. Fortunately, the healthcare industry set those wheels in motion nearly six years ago, and the result is the HITRUST “Common Security Framework” — the most comprehensive and rigorous approach for healthcare organizations to ensure information privacy and security, while harmonizing these compliance requirements. This Common Security Framework (CSF) was borne out of the HITRUST Alliance, a consortium of healthcare institutions, including Humana, McKesson, Highmark and security and healthcare experts who united to standardize a higher level of security that would build greater trust in the electronic flow of information through the healthcare system.

To appreciate the HITRUST CSF, consider the two-fold challenge it helps organizations fulfill: the regulatory matter of complying with federal regulations and the practical matter of becoming a secure organization. One does not confer to the other. HIPAA was the first federal law to mandate standards to protect the privacy and security of health information, and was later strengthened by the HITECH Act by increasing the obligations around data breach notification and penalties associated with these occurrences. These laws place the onus of compliance on the shoulders of “covered entities” and by extension, their “business associates” or suppliers that come into contact with electronic Protected Health Information (ePHI).

Regulations, like HITECH and the newly updated HIPAA Omnibus Privacy & Security rules, focus on enforcement at the policy level. But understand: these policies and regulations, on their own, do very little to prevent hackers or rogue employees from stealing information. What has been missing for organizations that create, store and share health information has been the nuts and bolts guidance on how healthcare technical systems and data can be secured. The HITRUST CSF was created for that purpose; to provide organizations — whether hospitals, insurers, medical labs or cloud service providers — with a robust, cost effective set of security controls to both fulfill the compliance demands and harden their systems.

The HITRUST CSF draws from 17 different information security frameworks (such as ISO27001/2, NIST 800-53 and PCI-DSS), removes duplicate and overlapping controls, and synchronizes them into one overarching framework that is both prescriptive and measurable. The CSF contains 13 Control Categories comprised of 42 Control Objectives and 135 Control Specifications. These include specifications for managing both physical and logical access, authentication of end-users, asset management and personnel security. The specifications are best-practice based and scale according to the type, size and complexity of the organization applying them. For example, a 10-person clinical practice that might lack expertise and resources may only use a self-assessment to establish how well they are protecting patient data, whereas a larger insurance provider may opt for independent certification of each of its data centers. The choice of how to use the CSF is left up to the organization using it.


HITRUST in Practice

To ensure consistent application of the CSF across organizations, the HITRUST Alliance has created the HITRUST CSF Assurance Program — if the CSF is the heart of HITRUST, the CSF Assurance Program is the brains. It offers a practical mechanism for validating an organization’s compliance with the framework, and it provides a way for organizations to decide which of its healthcare ecosystem partners is trustworthy enough to share Protected Health Information (PHI).

The Program specifies common requirements, methodology and tools that enable healthcare organizations and their business associates to take a consistent approach to managing compliance and to assess and report against multiple sets of requirements. The approach typically progresses through three phases: a Self-Assessment Phase, a Validation Phase and a Certification Phase.

The Self-Assessment Phase proceeds as its name implies. Organizations fill out a series of online questionnaires that help them baseline their security program. In the Validation Phase, a HITRUST assessor will work with an organization to review more substantive evidence of compliance beyond the questionnaires. The most rigorous phase is the Certification Phase, in which the HITRUST assessor conducts on-site controls testing that ultimately leads to submission of a certification report to the HITRUST Assurance Committee — the body that ultimately awards HITRUST Certification status to participating organizations. This independent review process removes biases and conflicts of interest that sometimes occur with other compliance programs.

While not a guarantee against having a data breach, an organization that meets the criteria for achieving HITRUST Certification can be assured it is addressing and reducing risks — particularly those emerging from the adoption of EHR technology, with health data propagating amongst network-accessible cloud data centers and mobile devices. Even if an organization opts not to obtain certification, which is not a requirement, the HITRUST CSF improves security while reducing compliance costs and complexity.

For those healthcare organizations that want higher levels of assurance (validated or certified) and reporting, the best approach for implementing HITRUST is to be coached through the process by a HITRUST assessor company from the start, which reduces the time and expense of achieving certification. The assessors are rigorously screened to ensure they can competently address technical security issues such as firewall monitoring and management, audit trail logging and analysis, multi-factor authentication schemes and data encryption strategies. The screening process verifies these companies have an established process for conducting compliance audits and quality control, and are current on HITRUST developments for guiding clients through the nuances of the certification process.

As its name implies, HITRUST provides a level of trust and seal of approval. With the nation’s healthcare system undergoing a transformation, more egregious data breaches are likely to occur without a set of security controls more comprehensive and stringent than the regulations they’re meant to appease. HITRUST answers that need.


Bruce Gnatowski is Senior Director of Cybersecurity Consulting at SecureInfo, a HITRUST assessor. For more information, email him at