HITRUST Certification: Increase in HIPAA Breaches Means Brands Need More from Vendors

If you thought 2016 was a bad year for HIPAA breaches, the data is even more damning for 2017. That’s why understanding the importance of HITRUST Certification, either internally or on the part of your vendor partners, is important.

A new report has found the trend of at least one health care breach per day is not only continuing, but the stakes are getting higher: 41 percent of breaches thus far have been caused by insider human error or insider wrongdoing. In terms of size, though, MPSMentor discovered eleven out of twelve of the biggest, most costly breaches came from outside hackers—and that the number of hacking incidents was up a whopping 82 percent from 2016 (so far). What’s that mean to you? Threats abound, and understanding and prioritizing security and compliance in the cloud have never been more important. Let’s examine the increase in HIPAA breaches and why you should consider HITRUST (Health Information Trust Alliance) certification to protect your data.

But First . . . Why is ePHI So Attractive to Hackers?

What makes electronic protected health information (ePHI) so attractive to hackers? The answer is simple: It’s a goldmine of valuable information. ePHI records don’t just hold data on mental or physical health—they also hold social security numbers, addresses, phone numbers, financial information used in payment for services, and more. Sold on the black market, and a slim medical record is reportedly worth up to $3. A full medical record jam packed with personal info? That one could be worth up to $100, says one data security expert.

HIPAA regulations put safeguards in place to keep ePHI safe—and some companies rightly take it a step further, adding features like additional encryption, intrusion detection, and log monitoring. Some companies opt to work with a HIPAA-complaint third-party IT provider to offset risk, offer support, and provide expertise.

Even with all those safeguards, the frequency and severity of breaches—stemming from both inside and outside organizations—continues to grow. What can help? There’s more than simply more oversight and diligence—there’s HITRUST.

HIPAA and HITRUST 

HIPAA regulations have a clear goal, but healthcare providers sometimes cite unclear standards when it comes to different types of data on different types of devices—a problem in an increasingly bring-your-own-device (BYOD) industry such as healthcare. In addition, HIPAA regulations have many optional measures that can confuse or burden providers already struggling with internal HIPAA oversight and expertise.

HITRUST aims to close that loophole, not just suggesting additional safeguards over those required by HIPAA, but requiring and monitoring them (see Figure 1). Obtaining a HITRUST certification is a process, as it requires the development of scalable, actionable guidelines and responses to HIPAA and ePHI processes. In addition, obtaining this certification (CSF) requires a third-party assessment. Managed services providers who understand the importance of HITRUST certification invest a considerable amount of money, time, and resources in obtaining that certification. As a result, these vendors have a demonstrable competitive advantage over others offering similar services. A HITRUST commitment is clearly a customer-centric commitment—and that’s an impressive thing. Take a look below at the differences between an offering providing HIPAA compliance and an offering based on HITRUST CSF:

Figure 1. Source: OnRamp

While it can be expensive and time-consuming, seeking HITRUST certification benefits companies and managed services providers alike. It can reduce the risk of slip-ups in HIPAA compliance, clearly articulates expectations to team members, and offers peace of mind—an invaluable asset in a time when breaches frequent the news cycle more than we’d like.

That said, not every individual healthcare organization has the time, funds, or expertise to become certified—and they don’t have to, especially not with HITRUST certified third-party vendors ready to step in and make sure their data is secure.

The Bottom Line

If you’re dealing with sensitive ePHI, phoning it in on security and compliance simply won’t cut it. It’s imperative to invest in a HITRUST certification or work with HITRUST certified vendors like our client, OnRamp, a trusted hosting provider that just launched a HITRUST-certified virtual private cloud. If you’re looking for a HITRUST resource, start there.

Do you handle ePHI and HIPAA compliance in-house, or do you use a vendor? If you work with a vendor partner, have you considered the value of working with a HITRUST-certified vendor? Either way, I’m curious what challenges you’ve faced and what safeguards have you put in place to make sure you’re protecting your data.

Additional Resources on This Topic

How to Master HIPAA Compliance and Security in the Cloud
HITRUST vs HIPAA: What You Need to Know
The Biggest Healthcare Breaches of 2017 (so far)

Photo Credit: visitbasis Flickr via Compfight cc