The health care industry is seeing its fair share of cyber attacks these days and is concerned about the need for an industry-wide baseline set of security controls. In order to accomplish this goal, the HITRUST certification is designed to improve health care cyber security by providing a basic framework to work from (emphasis added):
The certification will provide outside assurance to covered entities, but also be a plus for vendor partners, according to Ray Biondo, chief information security officer at HCSC, the largest customer-owned health insurance company in the United States.
“I want to make sure as an industry we don’t all go out and try to get minimum security requirements from each of these vendors and do it separately because it drives up costs for all of us, it’s inconsistent and it’s getting the vendors themselves bent out of shape,” he said. “Every time they try to sell their product or implement their solution to us or anybody else, they have to go through the same process over and over again. It’s very cumbersome.”
Adding some standardization to the process as an industry “will guarantee me that you’re at least meeting a minimum level of maturity with these common controls to protect your organization from a security breach,” he said. “These controls will not stop a hacker if they really want to get in, but if you can demonstrate you’re at least taking the necessary steps to increase your maturity level, our comfort level with doing business with you will greatly improve.”
Without such standards, he said, his company has to audit them individually.
“We’re in an awkward position. A lot of the companies that give us these solutions are as open to attack as anybody else, so it’s not just health care, it’s even the security suppliers. As an industry, we have to rally together to protect ourselves. I think this is the fastest, most efficient way to move that forward,” he said.
Even amid the growing prevalence of health care breaches, however, he said business associates are pushing back on making the certification mandatory.
Managing the security practices of business associates is a lot like herding cats. Add in a few offshore outsourcers who handle tasks such as medical transcription, coding and billing, and the scenario becomes even more complicated. Tennessee-based Cogent Healthcare learned that the hard way in 2013 when information was exposed on 32,000 patients when the firewall was down at an India-based transcription service.