If you thought 2016 was a bad year for HIPAA breaches, the data is even more damning for 2017. That’s why understanding the importance of HITRUST Certification, either internally or on the part of your vendor partners, is important.
A new report has found the trend of at least one health care breach per day is not only continuing, but the stakes are getting higher: 41 percent of breaches thus far have been caused by insider human error or insider wrongdoing. In terms of size, though, MPSMentor discovered eleven out of twelve of the biggest, most costly breaches came from outside hackers—and that the number of hacking incidents was up a whopping 82 percent from 2016 (so far). What’s that mean to you? Threats abound, and understanding and prioritizing security and compliance in the cloud have never been more important. Let’s examine the increase in HIPAA breaches and why you should consider HITRUST (Health Information Trust Alliance) certification to protect your data.
But First . . . Why is ePHI So Attractive to Hackers?
What makes electronic protected health information (ePHI) so attractive to hackers? The answer is simple: It’s a goldmine of valuable information. ePHI records don’t just hold data on mental or physical health—they also hold social security numbers, addresses, phone numbers, financial information used in payment for services, and more. Sold on the black market, and a slim medical record is reportedly worth up to $3. A full medical record jam packed with personal info? That one could be worth up to $100, says one data security expert.
HIPAA regulations put safeguards in place to keep ePHI safe—and some companies rightly take it a step further, adding features like additional encryption, intrusion detection, and log monitoring. Some companies opt to work with a HIPAA-complaint third-party IT provider to offset risk, offer support, and provide expertise.
Even with all those safeguards, the frequency and severity of breaches—stemming from both inside and outside organizations—continues to grow. What can help? There’s more than simply more oversight and diligence—there’s HITRUST.
HIPAA and HITRUST
HIPAA regulations have a clear goal, but healthcare providers sometimes cite unclear standards when it comes to different types of data on different types of devices—a problem in an increasingly bring-your-own-device (BYOD) industry such as healthcare. In addition, HIPAA regulations have many optional measures that can confuse or burden providers already struggling with internal HIPAA oversight and expertise.
HITRUST aims to close that loophole, not just suggesting additional safeguards over those required by HIPAA, but requiring and monitoring them (see Figure 1). Obtaining a HITRUST certification is a process, as it requires the development of scalable, actionable guidelines and responses to HIPAA and ePHI processes. In addition, obtaining this certification (CSF) requires a third-party assessment. Managed services providers who understand the importance of HITRUST certification invest a considerable amount of money, time, and resources in obtaining that certification. As a result, these vendors have a demonstrable competitive advantage over others offering similar services. A HITRUST commitment is clearly a customer-centric commitment—and that’s an impressive thing. Take a look below at the differences between an offering providing HIPAA compliance and an offering based on HITRUST CSF:
Figure 1. Source: OnRamp
While it can be expensive and time-consuming, seeking HITRUST certification benefits companies and managed services providers alike. It can reduce the risk of slip-ups in HIPAA compliance, clearly articulates expectations to team members, and offers peace of mind—an invaluable asset in a time when breaches frequent the news cycle more than we’d like.
That said, not every individual healthcare organization has the time, funds, or expertise to become certified—and they don’t have to, especially not with HITRUST certified third-party vendors ready to step in and make sure their data is secure.
The Bottom Line
If you’re dealing with sensitive ePHI, phoning it in on security and compliance simply won’t cut it. It’s imperative to invest in a HITRUST certification or work with HITRUST certified vendors like our client, OnRamp, a trusted hosting provider that just launched a HITRUST-certified virtual private cloud. If you’re looking for a HITRUST resource, start there.
Do you handle ePHI and HIPAA compliance in-house, or do you use a vendor? If you work with a vendor partner, have you considered the value of working with a HITRUST-certified vendor? Either way, I’m curious what challenges you’ve faced and what safeguards have you put in place to make sure you’re protecting your data.
Additional Resources on This Topic
Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”