HITRUST Vendor Certification Can Boost Cybersecurity in the Face of Hacking Tidal Wave
September 17, 2019
Senior Director, IT
Healthcare Financial Resources, LLC
Despite widespread industry determination to bolster healthcare information security, the number of health data cyberbreaches continues to explode nationwide, causing chaos for providers and payers and putting millions of patients at risk for identity theft.
More than 25 million patient records have already been breached in 2019, up 66 percent from the 15 million records stolen through all of 2018, and up 400 percent from the 5 million records exposed in 2017.
The onslaught highlights the systemic vulnerability of the healthcare sector and reflects the value hackers place on patient information, which typically offers a trove of rich personal data for identity thieves.
Fighting on two fronts
Experts say thwarting cyberattacks requires hospitals and physician groups to fight on two fronts: Internal systems and networks must be secured, and breaches initiated through connected third parties must be prevented. The latter threats can be extensive, due to providers’ increased reliance on third parties for a wide range of support services.
Defending against third-party hazards also is problematic, since provider knowledge about the security of third- and even fourth- or fifth-party platforms is necessarily limited. Moreover, the ability to impose fixes typically is out of reach.
The good news is that momentum is building behind an industry-led effort aimed at creating the same level of security for information sharing in healthcare that has long existed across the payment processing industry.
Known as HITRUST®, the initiative provides a risk management framework, standards and guidance for systematically securing information and sharing it in compliance with HIPAA and other applicable guidelines. In essence, HITRUST offers a detailed roadmap for achieving and maintaining compliance with over 40 authoritative sources, including HIPAA.
The avalanche of breach events so far in 2019 underscores just how vulnerable providers are to cyberattacks originating outside their walls. Three of the five largest healthcare breaches this year, in fact, involved third parties:
- A billing vendor, American Medical Collection Agency, was hacked for eight months straight between August 2018 and March 2019. Patient data from at least six covered entities was affected. So far, it is believed a least 25 million patient files were exposed, including approximately 12 million from lab giant Quest Diagnostics and 7.7 million from competitor LabCorp.
- Insurer Dominion National experienced ongoing hacking for nine years before the breach was spotted and sealed in April of this year. Data on an estimated 2.9 million patients was potentially exposed.
- A ransomware attack on Wolverine Solutions Group, a company providing multiple outsourced business services to healthcare companies, is believed to have compromised information on more than 600,000 patients. Many providers and payers in Michigan were especially hard hit.
To limit third-party breaches, the HITRUST process focuses on the HITRUST CSF, which synthesizes multiple compliance standards and guidelines, including HIPAA, PCI, ISO/27001 and ISO/27002, and NIST SP 800-53. In addition to strengthening vendor security, certification creates what is, in effect, a Good-Housekeeping-like seal of approval for vendors that allows them to quantify their security competencies to existing or potential customers.
The CSF addresses 19 different domains–from third party security and network protection to mobile device security–and requires readiness assessments against 135 specific controls. HITRUST offers three progressive levels or degrees of assurance, from a HITRUST-issued CSF Self-Assessment Report to CSF-Validated and finally CSF-Certified. The latter may take up to three months to complete.
For vendors and providers, ensuring HITRUST certification represents a significant improvement over traditional, “take your word for it” business agreements between vendors and covered entities that relied primarily on self-attesting compliance with HIPAA.
An active defense
Beyond requiring HITRUST certification from vendors as a condition for doing business, providers can also boost third-party security through efforts in four key areas, according to the Healthcare Information and Management Systems Society (HIMSS).
- Conducting thorough vendor due diligence
- Classifying the level of risk associated with each vendor function and relationship
- Ensuring ongoing communications with vendors about emerging security concerns
- Exploring cyber-liability insurance to mitigate the cost of potential breaches
Practicing what you preach
A leader in accounts receivable recovery and resolution, several of Healthcare Financial Resources (HFRI) key systems are HITRUST CSF® certified to help ensure the highest level of security for protected health information.
 Jessica Davis, “The 10 Biggest Healthcare Data Breaches of 2019, So Far,” Health IT Security, July 23, 2019.
 Travis Good, “What is HITRUST?,” Datica.com, May 10, 2018.
 “Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53,” HITRUST. June 2014.
 Rob Pierce, “What is HITRUST? A Practical Guide to Certification,” Linford & Company LLP, September 26, 2018.
 Ronald Hirsch, MD, “Vendor Security Risk Management for Healthcare Organizations,” HIMSS Privacy and Security Committee Brief, 2015.