Written by HITRUST Independent Security Journalist Sean Martin
Compliance is a fact of life in our business. Whether your organization is a direct healthcare provider, a part of the broader healthcare industry, or a vendor that serves the industry, there’s so much that must be done — and done correctly — and validated. Contracts and contract terms. Regulatory details and paperwork. Security requirements. Audits. Plus, if you are a healthcare organization, you must manage risk by ensuring that your myriad of third-party suppliers meet standards for compliance and security. Conversely, if you are a third-party supplier, you must demonstrate that same compliance over and over again to your customers.
Maintaining all those risk-assessment and other compliance-based requirements costs time and money. Tackling each requirement on its own can be quite expensive, and frustrating. Is there a better way? Yes. Use a framework approach. By using a framework, especially for managing third-party risk, you should be able to complete a single assessment and issue that report to a large collection of clients and partners.
Additionally, with the framework approach — and of course, we are referring to the well-respected, widely accepted HITRUST CSF — you can improve your own internal operations, by using a standardized vocabulary and process that’s consistent across the industry, instead of unnecessarily using your own terminology, definitions and procedures. By using a standard framework internally, and applying that framework consistently across your third-party providers, the controls are the same, yet the time spent gathering that data, and interpreting that data, is easier by an order of magnitude. Yes, you have to be compliant, but there is a way to do it that is much more effective and efficient.
Not only that, but by focusing on improving efficiency, you can assist your third-party providers in a way that makes their life easier as well, reducing their own overhead and making it easier to meet your requirements. With this, they will be more likely to want to work together to raise their security posture as opposed to merely meeting the letter of the law.
Think about this: According to a study from Ponemon, only 23% of organizations rated their capability to show compliance with leading security standards and frameworks as “high.” Yet 43% said they had high capability to minimize third-party security risks. What does that mean? They have the competencies, but it’s hard to demonstrate. That’s where a standardized framework like HITRUST CSF can benefit everyone.
From the healthcare organization’s perspective, using the HITRUST CSF can vastly simplify the process of ensuring that hundreds (or even thousands) of third parties are meeting those government regulations, industry rules and other best practices expected of them. Healthcare organizations can devote fewer resources to managing those third-party requirements, including initially verifying capabilities and passing necessary audits (when applicable).
From the third-party service provider perspective, as more and more organizations use the HITRUST CSF, this reduces the tremendous human resources and related operational costs associated with filling out laborious paperwork, especially paperwork that is oftentimes specific to a particular client and can’t be re-used for the next client making a similar request. Researching answers to questions that might be only slightly different from another customer’s compliance document can add to the price of products and services – and nobody wins.
This approach is a major factor behind established security frameworks like the HITRUST CSF, which are designed to make life easier (and costs of compliance lower) for both healthcare organizations, such as hospitals, insurers and providers, and also for business associates, and even those vendors that fall outside of the covered entity fold but could still have a material impact on your security posture — and quite possibly even your compliance posture. By having a standard set of compliance questions and documents, healthcare organizations can reduce the time required to manage the risk and compliance for their third-party vendors. And vendors can reduce the time it takes to demonstrate their security posture to customers and potential customers.
For example, one third party vendor in this industry, Clarity Software Solutions, recently achieved HITRUST CSF Certification. “Our clients continue to experience pressure to meet complex compliance requirements that include technical and process elements such as HIPAA, NIST, ISO and COBIT,” said Dan Schlaff, COO / Compliance & Security Officer. “Receiving our HITRUST CSF Certification allows Clarity to demonstrate its commitment to information security and the protection of PHI.”
Another well-known service provider – Microsoft – also achieved HITRUST CSF Certification for its Azure cloud computing platform. “The HITRUST Certification is the most widely recognized security accreditation in the healthcare industry,” explained Alice Rison, Senior Director for Microsoft Azure, adding, “It incorporates healthcare specific security, privacy and regulatory requirements from existing regulations such as HIPAA/HITECH, PCI, ISO 27001 and MARS-E as well as industry best practices. This certification provides a single framework that is tailored to health organizations to evaluate the Azure environment.”
Of course, for some healthcare organizations, those tough compliance questionnaires are more than simple tools for risk management. Purchasing departments might use them as a means to give the business associate agreement (BAA) more heft, more teeth. That’s a stick approach, though: while they may be necessary for risk mitigation purposes, it’s not good to try to increase third-party providers’ costs unnecessarily. Nobody wins in that situation.
That’s not to say that the use of the HITRUST CSF should be mandated by either party. It may not always fit a specific need, nor a specific relationship. Rather, it should be viewed as a means to actually drive value into the risk assessment process for all parties – that’s the carrot in the stick/carrot equation – in the forms of increased security posture across the board, reduced time, cost and effort to achieve compliance. The rewards are significant, since they are realized for every business partner. The deeper the framework is applied, the greater the rewards.
By collaborating via a common security framework like the HITRUST CSF, everyone can handle compliance more effectively… and devote more resources to providing better products, services — and, most importantly — deliver better healthcare.
By Sean Martin, HITRUST Independent Security Journalist