Third Parties Continue to Pose Significant Risks and Challenges Associated with Safeguarding Health Information
May 8, 2013
Frisco, TX – May 8, 2013 – The Health Information Trust Alliance (HITRUST) is announcing today that leading healthcare organizations will be requiring their business associates to participate in the HITRUST Common Security Framework (CSF) Assurance Program and submit CSF assessment reports as part of their information protection programs.
Recent breach data clearly indicates that third party business partners pose significant risk of data loss to a healthcare organization, often requiring public notification and subsequent reporting to the Department of Health and Human Services and other regulatory agencies. According to HITRUST’s analysis of U.S. healthcare data breaches, business associates accounted for 58 percent of the records breached, and they were implicated in 21 percent of the breaches.1 Additionally, business associates and suppliers struggle with the need to address a multitude of assessment processes utilized by the many healthcare organizations they service, which introduces significant complexities and inefficiencies that can impact the effectiveness of a security program. These redundant assessment processes also increase costs for covered entities, their business associates and the healthcare system as a whole.
Recognizing the significance of the role played by their business associates when it comes to the protection of health information, leading healthcare organizations, including CVS Caremark, Health Care Services Corp., Highmark, Humana, United Health Group and WellPoint, are announcing their commitment to leverage the CSF Assurance Program in their business associate information compliance programs and require the submission of the CSF assessment reports as part of those programs. Many healthcare organizations currently accept the CSF assessment reports, but have not required them. These organizations will now phase in the requirement for the CSF assessment and communicate the new reporting obligations to their business partners.
“We accept the CSF assessment reports from our business partners as well as maintain the capability to support our own approach to conducting third party risk assessments,” said Roy Mellinger, vice president and chief information security officer, WellPoint. “Unfortunately, we’ve found that managing and coordinating two separate approaches adds costs and inefficiencies for us and our partners. What we need is a single integrated approach—such as provided by a CSF assessment, which we can achieve with the right leadership to help coordinate and advance adoption across the healthcare industry, covered entities and business associates alike.”
A business associate or partner can receive hundreds of unique requests a year for some form of information protection assessment or attestation of their security controls, which requires considerable resources in trained personnel and operational dollars. Additionally, the entity requesting the assessment or attestation is burdened with ensuring that the reports are consistent, accurate and timely.
“While there is work to be done to transition existing assessment processes, approaches and agreements to a more uniform model, the benefits to the entire industry in the way of greater information protection compliance, reduced assessment costs and increased efficiencies substantially outweigh the effort required,” said Jon Moore, chief information security officer, Humana.
“As a business associate for many healthcare organizations, we receive numerous requests for information security assessment-related information, much of which consists of varying detail and reporting formats, and it takes up a significant amount of time to respond effectively,” said Kurt Hagerman, director of information security, FireHost. “The CSF Assurance Program, on the other hand, provides the context and uniformity needed to communicate the same information, assurance level and remediation guidance with one assessment and meet all of our customers’ needs.”
The complexities, risks and costs associated with the current processes used by covered entities and their business associates have been widely known for some time; however, no coordinated effort has existed to address these challenges and to adopt, in a meaningful manner, a unified approach to third party assurance.
“Conducting numerous non-standard assessments, which has been the historical approach, creates unnecessary economic burden in healthcare,” said Trent Gavazzi, chief technology officer, Availity. “The HITRUST CSF standardizes healthcare security assessments, which brings a balance to the industry. We value that effort since it complements our mission to make meaningful, sustainable improvements in healthcare.”
The CSF and the CSF Assurance Program offer the only highly flexible implementation and management framework for healthcare information protection by providing a standardized way of scaling and tailoring safeguards based on an organization’s specific risk factors. Organizations also have the ability to implement alternate approaches to address specific threats and vulnerabilities, and employ a standardized methodology for assessment and reporting that is easily understood by both the requesting organization and the business partner being assessed. For more information on the CSF Assurance Program, visit HITRUSTalliance.net/assurance.
“Since the number of combined business associates providing services to these and other healthcare organizations requiring the CSF Assurance Program is in the tens of thousands, we believe the efficiencies and cost-savings they realize will help influence others and provide the momentum needed to improve adoption in the industry,” said Daniel Nutkis, chief executive officer, HITRUST.
The subject of third party information security compliance will be the focus of a Summit being held on May 19, 2013, prior to the start of HITRUST 2013, the annual conference dedicated to educating privacy, security and compliance professionals on the latest and most efficient approaches for protecting health information. Participants at the Summit will discuss the issue of business partner compliance, identify potential approaches, and reach agreement on short- and long-term actions needed to address this growing concern. To learn more about HITRUST 2013 and the Summit, visit HITRUST2013.net.
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.
1 Source: HITRUST report “A Look Back: U.S. Healthcare Data Breach Trends.” December 2012: hitrustalliance.net/breachreport
All product and company names herein may be trademarks of their respective owners.