We live in an insecure world. From plain burglaries to sophisticated ransomware attacks against nation-states, there is a relentless and ongoing need to think carefully about the security of the technologies that make our lives possible.
This is especially true in healthcare. The sensitive data contained in medical records is a prime target for hackers, sometimes selling on the black market for 10 times the going rate for credit card data and social security information. A report from Check Point and Fortified Health Security revealed that in 2020, 79% of reported breaches came from the healthcare sector. In the first half of 2022 alone, 337 separate data breaches exposed a staggering 19 million healthcare records.
Even leaving aside public outcry or reputational damage, the financial repercussions of a data breach can be severe. At an average per-incident cost of $10.1 million for a healthcare breach, it’s no surprise that an estimated 60% of small to midsize businesses go out of business within six months of a breach.
For all these reasons, cybersecurity experts working in the healthcare space have to take compliance seriously. It can (literally) be a matter of life and death.
The Challenge (And Payoff) to Compliance
Just because compliance is so important doesn’t mean it’s easy – quite the opposite, in fact. Complying with public-sector regulations has been called “the root canal of the IT profession,” and the analogy is apt: both are painful, messy, expensive, and seem to go on for eternity.
Perhaps this is why compliance work is usually done in a frantic scramble during those few times of the year when audits are taking place. This haste, in turn, breeds the sense among employees that compliance tasks are distracting scut work that takes time and energy away from their “real” jobs while offering no real payoff.
Viewed this way, we can sympathize with the lack of enthusiasm for regulatory compliance.
But this perspective only tells half the story. The truth is, diligent and comprehensive efforts to comply with public-sector regulations across the board demonstrably improve your organization’s security, reducing the risk of data breaches and various other intrusions.
As vexatious and tiring as regulations may seem, they serve as important guideposts for cybersecurity teams as they erect the policies, procedures, and controls which are the beating heart of sound compliance.
Unfortunately, as has been known to happen with public sector endeavors, there is now a bewildering thicket of cybersecurity regulations that healthcare companies need to understand to remain in compliance.
A mere sample of these regulations includes the Federal Information Security Modernization Act (FISMA), the Federal Risk and Authorization Management Program (FedRAMP), the Health Insurance Portability and Accountability Act (HIPAA),
The Health Information Technology for Economic and Clinical Health Act (HITECH),
the European General Data Protection Regulation (EU-GDPR), FIPS 140-2: Security Requirements for Cryptographic Modules, the family of ISO 27000 regulations, NIST SP 800-171, and the Payment Card Industry Data Security Standard (PCI DSS).
Bewildering, indeed! It would not be hard to spend 40,000 electrifying words simply describing public-sector security regulations and how they function (though we’re not going to take up that particular challenge today).
Security teams can be forgiven for balking at the thought of trying to comply with dozens and dozens of separate laws, each with different controls and requirements. Sure, these laws share common overlaps, but they weren’t written with each other in mind. Trying to draw parallels between them manually with the goal of simplifying them all would be an exhausting task in itself, not worth the extra effort.
But what if they didn’t have to? What if there were a way to bite the entire bullet all at once, participating in a single compliance framework that is respected throughout the industry and simultaneously meets the standards of nearly every major public-sector regulation?
This is where HITRUST certification comes in.
Putting Your Trust in HITRUST Certification
With over 1,800 security controls across 14 control categories, 75 control objectives, and 19 domains, the HITRUST Common Security Framework (CSF) is a set of prescriptions that satisfies the requirements of multiple regulations and standards. This “super compliance” framework includes controls from many of the frameworks listed above, including HIPAA, HITECH, ISO 27000, FISMA, FedRAMP, GDPR, NIST, and PCI that can be mapped from the CSF.
Because the HITRUST CSF subsumes security and privacy requirements from many different frameworks, organizations are able to utilize it to demonstrate their security and compliance in one fell swoop. “Assess once, report many” as the HITRUST Alliance likes to say.
However, getting a HITRUST certification is no walk in the park. Depending on how your organization interacts with protected health information (PHI), the complexity of your tech stack, and how much buy-in you have from leadership, the whole process can take on the order of six to upwards of 36 months.
Moreover, you'll have to pay hefty fees to both the HITRUST Alliance and your chosen third-party HITRUST assessor. Total direct costs can be anywhere from $40,000 to $160,000, not including various indirect costs involved with attaining HITRUST certification. You can learn more about what goes into the cost and timeline of HITRUST in this video.
Is a HITRUST Certification Worth it?
To be clear, HITRUST is an investment, not an operational expense. Nevertheless, it’s a pricey investment that can put significant pressure on your bottom line. We’ve already covered costs and timeline. Here are five major benefits of making an investment in HITRUST.
Benefit one - HITRUST Certification Helps Grow Your Business
In June 2015, a number of the largest health insurance payers, including Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group, announced they were giving all vendors two years to achieve HITRUST certification. Overnight, 7,500 companies had a new compliance framework they needed to understand, establish, and maintain.
For companies in the healthcare space wishing to service the payer and provider market, it's going to be difficult to maintain a competitive edge if your product offering doesn’t meet HITRUST standards. And, if your competitors are certified and you’re not, they will automatically be perceived as better than you. If the situation is reversed, however, you’ll have a leg up on the competition.
Benefit Two - HITRUST Certification Can Accelerate Your Sales Cycle
Bringing on new technology partners means introducing new risks and attack vectors into your environment. Therefore, healthcare companies can’t be blamed for taking third-party risk management very seriously, rigorously vetting every potential partner for security competency as a best practice.
If you’re trying to strike a partnership with a healthcare company you can expect a lengthy examination from the Security team to be part of the process. Unless, of course, you’re HITRUST certified, in which case all of this tedium goes away. You no longer need to jump through a series of hoops because you've been validated to meet the most stringent security standards. This not only saves time and effort, it also improves your ability to ink a deal.
Benefit Three - HITRUST Protects Your Business From a Breach.
We’ve already covered the incredible value hackers and cybercriminals put on health records and the devastating consequences of a breach, so I won’t belabor the point here. HITRUST is an incredibly robust security framework designed to minimize the risk of a data breach across your entire technology stack. The single biggest reason to get a HITRUST certification is to protect yourself from being the victim of an attack.
Benefit Four - HITRUST Simplifies Compliance Management.
Likewise, I’ve already touched upon HIPAA, HITECH, FISMA, FedRAMP, NIST, FTC and the other regulatory frameworks in existence. Navigating this patchwork means IT teams must keep many compliance plates spinning throughout the year. But with a HITRUST certification, these myriad overlapping workflows can be consolidated into one, transforming many piecemeal compliance cycles into one workflow.
In addition, regulatory bodies are constantly releasing new updates to compliance frameworks, which can be frustrating for overtasked teams that feel they’re chasing a series of moving targets. Thankfully, the HITRUST Alliance continually updates the CSF to reflect these changes. By performing the continual HITRUST activities, organizations can ensure they are staying up to date with evolving regulations.
Benefit Five - HITRUST Certification Helps Manage Third-Party Risk.
In 2022, a majority of healthcare data breaches resulted from vulnerabilities in third-party vendors, according to a recent report from health IT security. This reinforces the need for strong third party-risk management protocols and underlines the fact that cybercriminals are aiming to exploit vendors instead of health systems.
Obviously, it’s not possible to run your business without interfacing with third parties. So how can you ensure this doesn't put your business in danger? Becoming HITRUST certified means you can also avail yourself of the HITRUST third-party assurance program. This streamlines the process of evaluating the dangers posed by various third parties, allowing you to reduce the time, money, and resources spent on vetting them.
Simplify your HITRUST Certification with the Right Cloud Partner
In a world where more and more healthcare information is stored in the cloud, HITRUST certification will only become increasingly important. The certification process can be really involved and drawn out, but choosing the right cloud partner can reduce the time and resource investment significantly.
What’s more, working with a megalith cloud service provider like Amazon, Microsoft, or Google makes maintaining compliance easier. Unlike an on-prem data center where security issues must be dealt with manually, the cloud makes it easier to automate infrastructure management and immediately satisfy HITRUST’s controls.
If you want to accelerate your HITRUST journey, consider working with a certified HITRUST inheritance provider such as Cloudticity. Cloudticity offers over 350 inheritable or partially inheritable controls that you can take advantage of for your HITRUST assessment. So if your assessment consists of 600 HITRUST controls, you could nearly cut that in half by inheriting from Cloudticity! Learn more about Clouditity’s HITRUST inheritance program.