Every month, the Payer Security Focus will break down a different topic in security and compliance with information relevant to payers and actionable steps to help build a more robust security and compliance program at their organizations. This month’s topic is HITRUST.
What is HITRUST?
The Health Information Trust Alliance (HITRUST) is a private organization that established a Common Security Framework (CSF) that can be used by all organizations that create, access, store or exchange sensitive and/or regulated healthcare data. The CSF includes a prescriptive set of controls that seek to harmonize the requirements of multiple regulations and standards. When an organization is HITRUST Certified, it means that they completed a rigorous set of controls to prove they are effectively addressing security risks.
Why Should Payers Care?
To stay competitive in a changing healthcare landscape, payer organizations are building more comprehensive offerings that include multiple health plans (such as medical, dental, vision, etc.) and feature tools to help members better manage their benefits. This is usually achieved by working with vendors or merging with or acquiring other health plans.
Working with outside vendors is a great way for payers to expand their business in a scalable way. However, that growth can have a downside. Each connection creates a new potential vulnerability and can multiply the risks of a data breach.
That’s where HITRUST comes in. HITRUST CSF Certification is a validation that a vendor has met the necessary regulations and requirements to securely work with the payer’s data – essentially streamlining the vendor evaluation process when it comes to security and compliance standards.
What Are the Benefits to Payers?
- Healthcare and Payment Controls Together in One Certification
The healthcare and financial industries not only have the most regulated and strictest set of controls around data transmission but are also the industry’s most targeted by hackers and at the highest risk for data breaches. As a result, verifying that a vendor has met the high standards and requirements necessary to work healthcare payments can be a complex and time-consuming process for a payer organization. HITRUST effectively alleviates that burden for payers with a comprehensive set of controls that satisfy the requirements of both the healthcare and financial industries with the CSF Certification.
- Ongoing Commitment to Information Security
HITRUST CSF Certification isn’t exactly easy to obtain or something that can be considered “set it and forget it.” A vendor must go through a multi-step process to achieve HITRUST certification. After the initial certification process, vendors must go through interim assessments to ensure they are maintaining the levels of security that enable them to uphold HITRUST certification.
According to HITRUST, “By being CSF Certified, an organization is communicating to its business partners and other third-party entities (e.g., state or federal agencies) that sensitive information protection is both a necessity and priority, essential security controls are in place, and management is committed to information security.”
What Are the Challenges to Payers?
The perception of HITRUST CSF Certification is varied throughout the industry, ranging from a requirement, simplification and not necessary. Yes, HITRUST CSF Certification is a high standard for organizations to achieve. However, high standards are necessary when considering the risks to a payer organization and your members’ data. In 2016, there was roughly one health data breach per day. (See all the risks to payer data in last month’s Payer Security Focus infographic here.) The HITRUST CSF Certification allows payers to quickly and easily understand which vendors they can trust with their data and those that require additional vetting.
Your HITRUST Checklist:
- Require HITRUST CSF Certification on every RFI, RFP or business proposal for vendors that want to work with your healthcare or payment data
- Do an internal audit of all vendors currently handling data and verify that each vendor has HITRUST CSF Certification
- Require that any vendor without certification to get certified within a defined timeframe
- Only work with vendors that uphold the highest standards in security and compliance
Next month, the Payer Security Focus will take a closer look at how payers can achieve PCI compliance.