Vet Your IT Partners – Being HIPAA Compliant Isn’t Enough

The high-stakes threat landscape healthcare organizations operate in today demands that IT partners and hosting providers go beyond HIPAA compliance. It’s time to demand HITRUST CSF certification as well.

By Mona Abutaleb, CEO, Med Tech Solutions
Twitter: @MedTechSolLLC

August 2021 marked 25 years since the signing of the Health Insurance Portability and Accountability Act (HIPAA). While the law was initially designed to help healthcare providers effectively transmit health information and claims data, for many it is most commonly associated with the privacy requirements and stipulations to safeguard protected health information (PHI). That aspect of the law is even more relevant as the value of PHI makes it an increasingly attractive target of cybercriminals.

HIPAA requires that healthcare organizations of all kinds, as well as business associates of HIPAA-covered entities, implement safeguards to protect patients’ PHI. And they must be able to demonstrate those safeguards through annual HIPAA audits and assessments. This is true of all IT vendors as well, but is particularly salient to the managed services providers (MSPs) and cloud hosting providers that play a crucial role in the delivery, protection and storage of PHI in the cloud.

The move to the cloud is a good thing for healthcare. The requirements associated with protecting PHI and the level of security and data protection associated with these environments is best left in the hands of seasoned services and solutions providers. And even for the largest hospital chains, the costs required to build, maintain, and operate a high-performance, high-security data center can be cost-prohibitive.

Unfortunately, electronic health records (EHR) are the most sought-after form of private consumer data, valued for their illicit resale and extortion potential. For that reason, no healthcare organization is immune from a cyberattack. Any organization that uses, processes, delivers, or stores health information is an attractive target. Small clinics and practices that once escaped attention are now just as at-risk as large networks.

The ramifications of any breach of protected health information are also severe. Victims can expect a HIPAA investigation and potential fines, significant ransomware payments, litigation from patients for the loss of personal information, and most importantly, the inability to provide care while core systems are taken offline. Lives can hang in the balance.

It’s Time to Go Beyond HIPAA Compliance to HITRUST Certification

While the move to the cloud is a move in the right direction, many cloud services providers serve numerous industries and may not understand the changing requirements of healthcare regulations. Even being HIPAA-compliant and passing the annual security audit does not mean they are well-versed in the intricacies of patient information, how it is used and how it is best protected.

Nor do the requirements of HIPAA cover the increasingly complex nature of the threat landscape or its rapid evolution as new attack vectors emerge. That’s why it’s time for all healthcare organizations to insist that their IT vendors achieve HITRUST Common Security Framework (CSF) certification for their cloud infrastructure or migrate to a provider that is HITRUST certified.

HITRUST incorporates more than 40 globally recognized security standards, including HIPAA, the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), Payment Card Industry (PCI), Federal Trade Commission (FTC) Red Flag, and Control Objectives for Information and Related Technology (COBIT). Altogether, HITRUST specifies more than 400 ongoing controls and processes to measure an organization’s ability to safeguard PHI.

HITRUST CSF certification is difficult to attain. The assessment process is grueling and time-consuming. Few in-house healthcare IT departments have the resources required to attempt it. But HITRUST is the strongest framework available today to protect critical healthcare data. Notably, HITRUST isn’t an ‘audit’ per se. It requires organizations to incorporate best practices into their day-to-day management of internal operations as well as customers’ systems and the data contained within them.

That’s why healthcare IT departments and the CIOs that oversee them should demand that their cloud provider be HITRUST-certified. Putting extra security safeguards in place is crucial, especially as cyberattacks loom with horrific financial implications and the proven ability to shut down entire operations. Knowing your partners are committed enough to present the most vigilant defense possible has never been more important.

Finally, all healthcare organizations should operate with the assumption that they are being targeted and that a breach could still occur. It’s imperative that they conduct incident response planning to ensure they are prepared for attacks and also have the processes in place for threat prevention, detection and response – including everything from phishing simulation training to established protocols and processes to follow should a ransomware or other cyberattack occur. There is no such thing as absolute security, but by keeping these best practices in mind, healthcare organizations can rest assured that they are secure as possible.