Written by HITRUST Independent Security Journalist Sean Martin.
HITRUST 2017 offered a widely-represented panel discussion on the challenges of complying with HIPAA regulations when healthcare organizations interact with partners for which they function as both a Covered Entity (CE) and as a Business Associate (BA). As the group discussed, most organizations in the healthcare sector are both a CE and a BA, depending on which partner they are interacting with at a particular point in the healthcare delivery process.
As will likely come as no surprise to most organizations in the healthcare sector, most operate as both a Covered Entity (CE) and as a Business Associate (BA) with their role defined dynamically by the nature of their business relationship at any moment or point within the healthcare delivery process.
Michael Parisi of HITRUST (standing in the photo above) hosted the panel, on which several healthcare industry experts participated. Sitting from left to right are Darin Clapp (Humana), Lee Penn (PDHI), Deborah Hutchinson (Availity), Bryan Sheehan (United Health Group) Brad Carvellas (Highmark), Daryl Hykel (HMS), and Adam Leko (Datica).
Captured in the article are some of the key points the panel raised when utilizing the HITRUST CSF.
Moving Beyond the Dreaded Questionnaire
The HITRUST CSF, which is supported by the HITRUST CSF Assurance Program, provides organizations with a common approach to managing risk and compliance. There’s also the HITRUST Third Party Assurance Program, which is essentially the application of the HITRUST Assurance Program against the organization’s business associates as a means to streamline the management of third-party risk for the organization’s vendors. The third-party assurance program, in particular, helps healthcare organizations – as a covered entity that work with BAs – by ensuring their partners can demonstrate they have developed acceptable security postures. As noted during the panel, this is particularly helpful for the United Health Group, which has thousands of vendors.
To that point, Sheehan said that assessing once and using that assessment for many compliance audits with partners is critical for the success of the industry. He added that the value of the HITRUST CSF comes from demonstrating to customers that external entities are secure and that the organization is doing business with the right people. By leveraging the HITRUST Third Party Assurance Program, organizations can create a credible, sustainable, and valuable partner network.
Hutchinson added that her organization’s security teams used to spend too much time on questionnaires and assessments. But with the HITRUST CSF, they can now focus on security controls. According to Penn, the HITRUST CSF also offers a way to arm stakeholders to be in a position to make a credible vote for organizations as their selected vendor.
The Dream of Audit Once, Report Many Comes True
Humana is a large entity working with federal and state governments. Clapp, from Humana, discussed how the organization needs to make sure it maintains compliance with NIST Cybersecurity Framework (CsF) standards; in order to gain compliance efficiencies, the organization runs assessment reports for both the NIST CsF and HITRUST CSF at the same time. This saves a lot of resources, time and money for Humana.
Hutchinson emphasized the importance of consolidating multiple frameworks from different groups. With each group working towards the same goal, using just one framework significantly increases the efficiencies across the groups. Leko pointed out that HITRUST is both comprehensive and prescriptive: organizations can map controls to many frameworks and standards. That makes the HITRUST CSF easy to leverage for many compliance efforts.
Building on this assess once and report many efficiency model, Parisi recommended that organizations look across their entire third-party assurance portfolio and remove duplication from other regulations and standards. For example, organizations can map the HITRUST CSF controls to the trust principles of SOC 2® in addition to meeting the HIPAA and NIST CsF requirements.
Implementing Controls Leads to Better Cyber Insurance
Simply reporting on the risk is not enough, of course. The risk must be addressed in some fashion, even if that means accepting it. However, for most organizations that take risk management seriously, risk is often mitigated through the implementation of controls.
As one example, HMS imports their HITRUST CSF controls into its continuous control-monitoring program to make things more control-centric. And Availity leveraged the results of the HITRUST CSF to prove the controls are in place as a means to increase their cyber insurance coverage without any additional effort or cost associated with a typical, dedicated insurance application response. This is impressive because securing additional cyber insurance can sometimes be a lengthy, arduous task.
The HITRUST CSF, in this case, actually made the process much more efficient as Availity provided the underwriter with the HITRUST report showing their security posture. Having this information enabled the underwriter to reduce the assessment timeline from one week to a few hours—and Availity received premium discounts to boot.
For Highmark, using the HITRUST CSF assessment results when renewing its cyber insurance policy, also prompted their premium to go down while they saw their coverage noticeably improve. Carvellas explained how when presenting assessment and security maturity scores, such as those generated by the HITRUST CSF integrated with a SOC 2, underwriters get it—the organization becomes a safe bet.
The investment in the HITRUST CSF thus has a direct line to cost-savings and better coverage. The assessment also pays off in relation to resource allocation. Highly-talented individuals no longer waste time responding to questionnaires.
FURTHER READING ON THIS TOPIC:
Acquiring cybersecurity insurance: Why collaboration is key How to Streamline the Cybersecurity Insurance Process …
Joint Efforts Help Improve Patient Care
As organizations work through the HITRUST CSF and its associated assurance processes, the panel members recommended reviewing the guidance document for how to read the HITRUST CSF Assurance report. It’s also important to not rush. Scope out the project carefully, deciding what to include and exclude, and then treat the HITRUST CSF as an investment with a realization there will be some initial benefits immediately and significant benefits down the road.
Also, be sure to collaborate with your fellow CEs and BAs. Sharing the lessons-learned and the pitfalls-to-avoid will help drive HITRUST CSF certification forward for the entire industry—and that will facilitate joint efforts to ultimately allow the industry to continue to focus on improving patient care.
To find out more about leveraging the HITRUST CSF to create a credible and valuable healthcare partner network, visit https://hitrustalliance.net/understanding-leveraging-csf/.