Written by Brian Selfridge, Partner, Meditology Services.
The healthcare delivery model is dramatically shifting based on advances with Accountable Care Organization models, innovations in healthcare IT, and cross-market acquisitions and partnerships. The lines of responsibility for securing health information are blurring across an increasingly complex delivery landscape. Regulatory enforcement has also ramped in recent years and there is growing pressure for healthcare entities to demonstrate compliance at a moment’s notice.
Large healthcare providers and payers have made a push in the last few years to mandate security certifications for third-party organizations and other business partners that manage or share sensitive information. As a result, many healthcare payers and business associates have achieved or started initiatives in 2017 toward obtaining security certifications including SOC 2® Type II and HITRUST CSF.
This wave of certifications has also begun to take hold in the provider community. Thought-leading healthcare providers have identified the emerging need for HITRUST CSF certification to demonstrate that health information remains protected consistently across the continuum of care as delivery models evolve. In some cases, providers are branching out into the healthcare IT innovation space and are themselves considered Business Associates as they offer and deploy new solutions to the market place outside of their own institutions.
Achieving HITRUST CSF certification for providers requires some calculated maneuvering to avoid common pitfalls that can stifle or doom certification efforts. For example, limiting the initial number of applications and supporting infrastructure to a handful of platforms is critical to achieving certification. Additional applications and organizational units can be included over time, but biting off too much in the first go-round can choke the organization’s resources with the sheer volume of controls and testing required. The scope should focus on those platforms that are aligned with the organization’s business drivers for certification.
A typical healthcare provider has dozens to hundreds of applications and platforms that store and manage sensitive information. HITRUST CSF certification should be limited to those systems that are directly managed by the provider where possible or to applications with strategic importance. Providers should require third-party vendors and cloud hosted platforms to provide appropriate security certifications and thereby reduce the cost associated with undergoing the HITRUST CSF assessment and certification process on their behalf.
Another common challenge for provider certification is failing to allow adequate time for remediation efforts and creating overly aggressive certification timelines. Typical remediation efforts to prepare for certification include the overhaul and creation of a decent volume of supporting policies and procedures. Many providers have formalized policy governance and approval processes that need to be considered as part of remediation efforts.
The wave of HITRUST CSF certifications is likely to continue to grow for providers as the industry grapples with increasing breach events and regulatory and business partner expectations. Providers should take stock of their information security programs and develop a road map for achieving alignment with frameworks like the HITRUST CSF that can be certified over time to demonstrate security maturity and compliance.
Brian Selfridge is a Partner with Meditology Services