The Journey from HIPAA Compliance to HITRUST Certification

In today’s complex technological world, there is always the danger of a hostile threat environment lurking around the corner, waiting to manipulate the potholes in the processes and technology. People and organizations with malicious intent always try to act upon such opportunities and cause everlasting damage to the organization’s reputation and finances. In such a scenario, securing information and information assets of the organization are of paramount importance. There are several ways to secure information and information assets within an organization. Some organizations may deploy strict controls like access control, secure equipment sitting area, authorization, and authentication, etc.

The healthcare industry is no different and is not safe from the malicious intent of hackers and trespassers. Sensitive healthcare information like patient data, patient recovery status, personal information, etc. always needs to be safeguarded. Hence, the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, which outlines protection and security standards for health care data. HIPAA is a public law that can be considered landmark legislation when it was enacted in the ‘90s.  Before its enactment, there were no security standards or requirements for protecting health care information.  While HIPAA is an act that details standards for compliance, HITRUST is an organization that helps you achieve those standards by the means of industry-acclaimed certification.

Transitioning from HIPAA Compliance to HITRUST Certification

When an organization transitions from being HIPAA Compliant to being getting HITRUST certified, is not a straightforward and simple journey altogether. This involves a lot of effort and adjustments along the way on the part of the organization. Often organizations who are HIPAA compliant, assume, that getting HITRUST certification is an easy walk. But in reality, the path to HITRUST certification is very robust and cumbersome. HITRUST certification is an exhaustive and comprehensive certification process and organizations often must scale up their efforts to get compliant.

The common pitfalls or roadblock often faced by organizations in the journey from HIPAA to HITRUST are:

  • HITRUST requires exhaustive policies and procedures to be in place spread across 19 domains of Information Security. Organizations often fall short of producing the exhaustiveness or robustness in their documentation that HITRUST mandates
  • HITRUST certification process mandates the actual implementation of solutions and security controls. In many cases, organizations that are HIPAA compliant do not have enough security controls in place to be even eligible for HITRUST certification
  • HIPAA compliance is a self-declaration made by the management of the organization keeping in view the security posture of the entity. In most cases when the organization goes for HITRUST certification, it comes as a revelation as they do not clear the HITRUST certification because of not having a good enough security posture. HITRUST certification is a very comprehensive and robust assessment of the security posture of an entity
  • HITRUST mandates the storage and secure treatment sensitive and covered information should get. Covered information includes ePHI, PII, etc. In comparison to HIPAA, HITRUST is more particular and employs strict measures about the secure handling of ePHI
  • As opposed to HIPAA, which has defined penalties for security breaches, the enforcement of HITRUST is dependent on the healthcare industry itself, typically covered entities like hospitals and payers, requiring HITRUST CSF Certification of vendors
  • HITRUST also claims that with their framework, you can “assess once and report many” – which means that a HITRUST Certification can be used as the building block to attain other certifications and reports such as a SOC II or NIST 800-53.  Thus, HITRUST can be labeled as more versatile and comprehensive

How to attain HITRUST Certification?

Without a standardized framework, process, and certifying body, HIPAA is often an obstacle for healthcare technology. HITRUST is an attempt to help vendors better prove their security and to help covered entities streamline security and compliance reviews of vendors. HITRUST is an acronym for the Health Information Trust (HITRUST) Alliance, an independent testing organization that issues the Certified Security Framework (CSF) certification to vendors who successfully pass their rigorous security evaluation. Because HIPAA is a set of standards, and the HITRUST CSF provides a prescriptive set of controls that meet the requirements of not only HIPAA but other security standards such as PCI and NIST. As such, HITRUST is a valuable resource for risk management and compliance for organizations that handle sensitive data.

The 5 Steps to HITRUST CSF Certification

  • Step 1: Investigate the process
  • Step 2: Scope the project with the chosen HITRUST CSF Assessor
  • Step 3: Complete the CSF
  • Step 4: Validate the CSF with the assessor
  • Step 5: Certify the CSF with HITRUST Alliance

The organization should first determine the business drivers for attempting certification which should include identifying key stakeholders, defining scope, and selecting an Authorized External Assessor Organization. HITRUST recommends a Readiness Assessment be performed to prepare organizations for the Validated Assessment. Organizations can involve Authorized Internal and External Assessor Organizations as part of the Readiness Assessment. Based upon the results of the Readiness Assessment the organization should develop a remediation plan and work with its Authorized External Assessor Organization to define the timing of the Validated Assessment. Before beginning the Validated Assessment, the organization will need to purchase a Validated Assessment object from HITRUST if they are not a subscriber. The organization will need to complete the Validated Assessment using the MyCSF tool and then the Authorized External Assessor Organization will be required to perform the validation/audit work. Once the Authorized External Assessor Organization’s work is complete, they submit the assessment to HITRUST for review. HITRUST will perform quality assurance procedures, create a report, and, depending on the scores in the report, will issue a Letter of Certification.

Thus, we have seen that though HIPAA mandates a set of security and privacy safeguards to be implemented, HITRUST is the certifying body that evaluates the compliance of an organization against the standard. Achieving HITRUST CSF Certification requires significantly more time, effort, and resources than a HIPAA audit. Being HITRUST CSF Certified should be seen as a more significant badge for security and compliance than completing a HIPAA audit. I can conclude by saying that the journey traversed by an organization from being HIPAA compliant to HITRUST certified is indeed an eventful Security Compliance journey.

Risk Management Framework – Managing & Measuring what matters

A risk management program allows you to manage overall information security risk.  It is an approach to identify, quantify, mitigate, and monitor risks.  The reason to look at risk in a comprehensive manner is to make sure no one area is getting too much attention or, too little. Frameworks also help you identify the bigger elements of risk that need review and mitigation. Additionally, it help you to prioritize the treatment of certain risks. The adherence to risk frameworks also helps give your customers comfort that a standard risk management is in place and hence, reduce your audit burden. 

Typically, a Risk Management program comprises of the following phases:

  • Risk identification
  • Risk analysis
  • Risk evaluation
  • Risk treatment
  • Risk Monitoring

A good risk management framework will have the following characteristics:

  • Comprehensive in types of risks it covers
  • Practical for an organization to implement
  • Updated with current real-world risks
  • Based on controls that can be reviewed and audited
  • Reliable so that your vendors and customers can accept it

There are many risk management frameworks that one can choose from and it important to understand the advantages of each.

Common risk management frameworks include:

  • NIST CSF
  • SOC 2
  • ISO 27001
  • HITRUST

NIST (National Institute of Standards and Technology) framework is a comprehensive cybersecurity framework (CSF).  It is very widely accepted across different company sizes and business domains. Most cyber-security professionals are well aware of this framework as it is readily available.  Although widely available and very popular there is no certified third-party audit mechanism. Hence, it can only be self-assessed.  

SOC 2 Type 2 is an internal controls report based on the scope you define.  It is widely used in the United States to show the maturity of your controls.  A CPA firm that is part of the American Institute of CPAs (AICPA) conducts the audit & issues an assessment report.  The AICPA does not audit/review the assessment for completeness or quality. 

HITRUST CSF is a framework that came leverages NIST, SOC, and ISO along with others to create a more comprehensive standard.  It is widely implemented in the United States by organisations in the healthcare space.  Unlike others, although there are external assessors that are involved in the certification process, HITRUST reviews all assessments and issues the certificate. Additionally, among all the frameworks above it tends to be the most expensive to implement. 

It is important to choose a framework that matches your long-term security goals & needs.  At Accorian, we work with all of the above frameworks. We help organizations choose the right framework and aid with the implementation. This is done by augmenting our team into your security team to help steer the rollout, aid with query resolution, choosing of the right controls & workaround during mitigation advisory, facilitating the selection of vendors & products and end to end program management. 

1 Minute Guide to the Updated HITRUST Scoring & Metrics for 2020

At the start of the year, HITRUST released an updated methodology for scoring requirements. This will ensure that organizations focus on maintaining a robust program with implemented controls for enhancing security posture and adherence to HITRUST.

Hence, if you’re on the path to HITRUST or new to it, the following will be applicable to you:

  1. HITRUST will now place a greater influence on implementation of controls
  2. It can potentially increase the number of Corrective Action Plans (CAPs) due to gaps in implementation.
  3. The increase in CAP’s in implementation would correspond with a decrease in the number of CAPs attributed to gaps in policies and procedures as well as an increase in the scores for managed & measured if implemented well.
  4. A greater emphasis will be placed on procedure in comparison to policy.
  5. HITRUST wants to ensure that SOPs are well documented, but more importantly, followed with workflows and ownership.
  6. Assessors and enterprises will now be able to objectively score each control using the Control Maturity Rubric.
  7. Managed now holds greater importance in comparison to measured.

The key takeaways are as follows:

1) Change in weightage

Maturity LevelsOldNew
Policy25%15%
Procedure25%20%
Implemented25%40%
Measured15%10%
Managed10%15%

2) Updated HITRUST Control Maturity Rubric

An objectively defined control maturity rubric is in place. It will aid in quantifying current state of controls during self-assessments for HITRUST prospective enterprises & for validated assessments. There are 5 tiers for assessing the strength of the control (policy, procedure, implementation, measurement and management) and 5 tiers for assessing coverage and adherence.

3) Applicability

The new scoring rubric is applicable for all myCSF material created and all assessments (self and validated) submitted to HITRUST in the year 2020.

4) Will the new scoring metrics impact already certified organizations?

Not yet, but it will play a role in re-certification. The metrics associated with the original assessment will be applicable for the interim assessment. 

Due to the updated assessment guidelines, companies up for re-certification will be required to implement their CAPs associated with implementation. In turn, this will aid in increasing your implementation score, and, consequently, increase your scores for measured and managed.

Insider Threats – Healthcare’s Crippling Reality

We often learn about the latest security issues, threats, vulnerabilities, attacks, and ransoms every day. While much of the advertised information we read is about external vulnerabilities, there is another, often-overlooked, hazard lying in wait: Insider threats.

What are Insider Threats?

An insider threat is an often-overlooked security threat from within an organization.
Often an employee, contractor, business associate or, third-party entity, an insider threat is anyone who had or still has access to proprietary information within an organization. Due to the unforeseen nature of these breaches, traditional security measures and products often fail in preventing and detecting insider threats.

Why should organizations be concerned?
  1. 75% of internal breaches go unnoticed. An employee logging-in is easily overlooked in comparison to an external threat.
  2. Internal breaches are twice as costly and damaging as external threats due to the longevity of the breach and the detection lag
  3. 69% of organizations that were breached internally had a prevention solution in place, but still failed to detect the attack.
  4. On average, it takes 32 months to detect an internal breach.
  5. 65% of breaches are unintentional, making privileged-users the largest risk for organizations.
  6. Not every breach is the result of maliciousness, recklessness, or negligence, but regardless, the presence of human error in internal breaches means organizations have to invest in training, education, and technology that work with the user in mitigating insider threats.
Why should Healthcare organizations be concerned?

Hackers leverage highly targeted phishing campaigns to gain access to healthcare organizations’ networks, which serves as a critical reminder for the need to frequently train and educate employees. In general, healthcare entities are able to detect external hacking incidents quicker than insider incidents. There are many cases of hacking incidents have been discovered in one day, while insider incidents have proceeded without detection for years. Healthcare is the most vulnerable industry to internal threats, with 59% of all breaches being internal-infiltrations
in 2018. (Verizon DBIR report 2019)

Current State of Healthcare –

  • 15 million patient records were breached in 2018 over 503 breaches. 139 were internal breaches responsible for over 2.3 million patient records. (Protenus Breach Barometer 2019)
  • 32 million patient records were breached in the first half of 2019 across 285 breaches; The new Protenus 2019 Breach Barometer found the number of breached patient records tripled from 2017 to 2018, as healthcare data security challenges increased.
  • 91% of healthcare organizations have had at least one data breach involving the loss of patient data in the last two years (Forbes)
  • 68% of patients are not confident that their medical records are secure with their healthcare providers (Ponemon Medical Identity Threat Report)
How should Healthcare organizations manage & mitigate this threat?
  • Proactive Insider Threat monitoring – User & Entity Behavior Analytics (UEBA), Endpoints Controls
  • Auditing & managing privileges & permissions
  • Implementing a device management policy
  • Security training and testing among employees
  • Policies & Procedures for increasing accountability amongst employees & contractors
  • Incident Response Strategy & Plan
How does HITRUST prevent Insider Threats?

HITRUST’s Cybersecurity Framework (CSF) provides a comprehensive security blueprint for organizations to achieve and adhere to.

HITRUST requires organizations to have the following controls in place in order to prevent insider threats –

  1. Employee awareness & education
  2. Secure workplace and data practices
  3. Confidential data taxonomy
  4. Auditing & managing privileges & permissions
  5. Secure disposal/re-use of media/equipment
  6. Compliance to policies & procedures
  7. Acceptable use of assets
  8. Reporting of security incidents

HITRUST just released Version 9.3 of the HITRUST CSF. How will that affect your company?

On October 28, 2019, HITRUST announced the release of version 9.3 of the HITRUST CSF information risk and compliance management framework.

The HITRUST CSF is an important step in the HITRUST certification process. It provides necessary risk management and compliance methods that helps organizations ensure that their security programs are aligned and meets compliance standards.

This new version of HITRUST CSF includes changes requested by the HITRUST community, corrections as needed and updated language to the glossary that effectively clarify terms found in the HITRUST framework.

New authoritative sources:

The California Consumer Privacy Act (CCPA) 1798 – Effective January 1, 2020, this act requires qualifying organizations to protect California consumer data and gives them the option to opt-out sharing of their data. HITRUST CSF v9.3 includes mappings and related information on the CCPA reflecting not just the original act, but the amendments made thereto during the recent California Legislative Session.

NIST SP 800-171 R2 (DFARS) – provides guidance to protect controlled unclassified information in nonfederal systems and organizations. HITRUST CSF provides the controls needed to implement NIST Cybersecurity Framework effectively. A company can certify its implementation of the NIST Cybersecurity Framework by using the widely adopted HITRUST assurance program. A 2018 Government Accountability Office (GAO) Report to Congress recognized the alignment of the HITRUST CSF to the NIST Cybersecurity Framework.

The South Carolina Insurance Data Security Act 2018 (SCIDSA) 4655 – Effective January 1, 2019, the SCIDSA requires qualifying organizations to report and investigate cybersecurity events within specific time frames. HITRUST v9.3 provides controls needed for risk management and due diligence.

Updates to existing sources in HITRUST CSF:

  • AICPA 2017
  • CIS CSC v7.1
  • ISO 27799:2016
  • CMS/ARS v3.1
  • IRS Publication 1075 2016
  • NIST Cybersecurity Framework v1.1

How will it affect your company?

Organizations that are currently involved in a HITRUST assessment using version 9.2 will not be impacted by this new update. However, HITRUST plans to release version 10 in Q4 2020 that will include more enhancements to make the framework more efficient.

Premal Parikh, Managing Director of Accorian says, “The inclusion of these security acts shows that HITRUST is determined to stay up to date on the new information security advancements.”

To learn more about HITRUST CSF v9.3 contact one of our HITRUST practitioners and we can help you get informed about these updates.

To download the HITRUST CSF go to: https://hitrustalliance.net/hitrust-csf/

HITRUST Press release – https://hitrustalliance.net/hitrust-releases-version-9-3-of-the-hitrust-csf-incorporating-new-privacy-and-security-standards/

Lessons from our recent HITRUST Community Extension Program.

On August 27, 2019, Accorian, facilitated a successful HITRUST Community Extension Program in New York city. Security and Technology professionals from organizations in healthcare, finance and technology attended the town hall. Michael Parisi, VP of Assurance Strategy & Community Development was the main speaker and he did a great job informing the attendees about HITRUST.

Lively discussions about the HITRUST process kept the event energetic. Real world examples and case studies helped attendees to see the benefits of becoming HITRUST certified.

John Langhauser, the co-founder of AdhereTech

John Langhauser, the co-founder of AdhereTech, explained how pursuing a HITRUST certification differentiated them from competitors.  AdhereTech provides software that uses smart pill bottles to provide patient support. They have found that being a HITRUST certified company in the healthcare industry has simplified their security conversations with potential customers.

Live demo of MyCSF® scoping exercise

Pete Niner, one of our HITRUST CSF Practitioners, conducted a live scoping exercise using the My CSF tool. He also provided a case study of a client benefited from the scoping exercise despite challenges.  

Pete recommended that the scope of the HITRUST Assessment be made very clear and as minimal as possible. Companies should ensure that legal and compliance obligations should be precisely scoped and only included if required.

Key Points from Michael Parisi

The main objective of the CEP event was to promote awareness of the HITRUST process while promoting the benefits of the certification.

Michael Parisi spoke about the journey to certification, the types of assessments and products such as the HITRUST Threat Catalogue, Assurance Program and the Shared Responsibility program.

In addition to answering questions from the audience, Michael Parisi stressed the importance of performing a risk analysis before starting the HITRUST framework. A few people had concerns about the procedures used by assessors during the process. Michael assured them that every audit is reviewed by HITRUST and that all assessors are held to the strict guidelines of the process.

HITRUST has seen an increase in adoption of the HITRUST CSF outside of the healthcare and public health sector – and internationally.​Future plans for the HITRUST Alliance include:

  1. Launching HITRUST CSF v10 in 2020
  2. They plan on providing services for GDPR certifications.
  3. HITRUST VC Council will be launched later this year.
  4. HITRUST is working with the FAIR Institute to create a threat catalogue to help with risk management.

Simplifying the Readiness Assessment

Premal Parikh, Managing Director of Accorian, shared the HITRUST certification methodology that his team uses to assist their clients to achieve certification. He focused on the pros and cons of doing a readiness assessment without the aid of a HITRUST Practitioner. He explained how guidance from an experienced assessor during the self-assessment increases the quality of the validated assessment.

“Participating in this HITRUST CEP was a great experience. It was an opportunity to share lessons learned with people in our industry to help them understand the complexities of HITRUST and risk management. We plan on partnering with HITRUST again in 2020 to produce more of these events throughout the United States.”
– Premal Parikh

We encourage people who are interested in this certification to take advantage of this free opportunity. It’s a great way to learn all you can about HITRUST to simplify the process and effectively implement the procedures in your programs.

As authorized HITRUST CSF experts, Accorian has experienced practitioners that are prepared to answer any questions you have about HITRUST. Contact us if you would like to see the presentations from this event or if you have any questions.

7 Ways to protect your Healthcare Data in 2019

In 2018, 15 million patient records were breached during 503 healthcare cyber-attacks. That’s three times the amount of reported incidents in 2017*. As breaches continue to escalate, healthcare records are becoming a big target and are valuable on the black market.

1. Where is your data and how is it protected?

Most organizations don’t know where and how much health data they possess. Mobility and easy access to data adds to the risk. The usage of IoT and other handheld devices also add a layer of complexity.

2. Train your staff on anti-phishing techniques

The healthcare industry suffers more from insider threats than external threats. hackers are using targeted and sophisticated social engineering techniques to cause human error. These advanced phishing techniques leverage AI & Crimeware that exploit the weakest link in security – Humans. It’s important that employees are educated so that they are not fooled into allowing a hacker to access the network.

3. Is your Network being monitored 24/7?

Hackers don’t take a day off and neither should your security. Attacks will be more sophisticated, harder to detect & defend in real time. Real time security monitoring & a robust incident response plan will be key. This will leverage AI to detect & defend your network in real time.

4. Increase your budget for cybersecurity

Successful data breaches significantly impact the bottom line of organizations. This includes fines, legal & investigator fees, the loss of credibility, reputation, customer confidence, valuation and changes in the CXO level. Cyber insurance premiums have also increased due to impact & cost of data breaches in 2018. It’s important that your organization devotes enough funds to cybersecurity because it will be costlier if your company has a data breach.

5. Make sure that your Data is compliant

There are new complexities associated to information sharing due to newer privacy laws across the world. The healthcare industry has a reputation of not always complying with GDPR, HITRUST and other data protection rules. Partnering with a security firm to help you get compliant will decrease your chance of being fined.

6. Are your IOT** medical devices secure?

Medical devices are becoming more digitally connected to increase patient care. However, just like computer systems, they can be vulnerable to security breaches. Increasing your adherence to the FDA’s Medical Device Security guide will reduce your chance of cyber-attack.

7. Partner with a cybersecurity company for long-term protection

The lack of security experience & skills in the healthcare industry often leaves organizations vulnerable to an attack. It’s best that Healthcare companies work with a security partner that specializes in their industry and stays ahead of cyberattacks.

Accorian is your full-service cybersecurity partner. We can help you protect your data, monitor your networks, conduct security tests and provide anti-phishing training for your employees. Contact us today to find out how we can help your business achieve Technology success.  

Sources:
*Protenus 2019 Breach Barometer
**Internet of Things
Source: Verizon’s DBIR 2018

Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took

    Ready to Start?



      Download Case study




        Download Guide




        Human Resources Director

        Posted On: 09 May, 2022

        Drop your CVs to joinourteam@accorian.com

          Interested Position

          First Name

          Last Name

          Email

          Total Experience

          Mobile Number

          Upload Resume