In today's environment, where cybersecurity threats are becoming more and more pervasive, even small healthcare organizations understand that purporting to have comprehensive data privacy and security policies and procedures in place isn't enough. Business partners want more. Regulators demand more. They want implementation and efficacy. They want to know that health and other sensitive data will truly be protected from threats – in actuality.
One way for healthcare businesses to demonstrate a robust and active cybersecurity program is to obtain HITRUST1 certification. It can be a strong advantage to healthcare businesses when marketing capabilities, negotiating contracts and defending regulatory challenges.
During recent years, the healthcare industry has been subjected to devastating cybersecurity attacks. The value of medical information and the lack of cybersecurity maturity in many healthcare organizations has made the industry a target.
Medical information is attractive to potential buyers on the black market for several reasons, including that medical information often contains a social security number and other portions of a medical history that, unlike a credit card, can be very difficult to change. Criminals can sell medical information on the black market for more than a credit card for that reason.
Hackers will continue to target the healthcare industry with ransomware and malware designed to steal, destroy, or hold hostage sensitive information because their attacks have been successful and lucrative. The threats have evolved beyond just stealing personal information, although that continues to happen. Criminals are now also using malicious software called ransomware to hold sensitive information hostage for a ransom or simply to erase or corrupt information for destructive purposes.
These threats stem from criminals finding some type of vulnerability that will enable them to successfully compromise an organization's system and data. For example, the most recent international ransomware epidemics of Wannacry and Petya were taking advantage of a Microsoft vulnerability. Although Microsoft released a patch of that vulnerability prior to either version of the ransomware wreaking havoc throughout the world, many companies are slow to implement such patches.
The healthcare industry needs to make significant improvements in its overall cybersecurity. In the Report on Improving Cybersecurity in the healthcare Industry issued in June 2017, the healthcare Industry Cybersecurity Task Force concluded that " healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention."
The legal and business repercussions of a cybersecurity incident can be disastrous
In Verizon's 2017 Data Breach Investigations Report, the healthcare industry had the second most successful breaches of any industry. The effects of a security breach in the healthcare industry can be particularly devastating, as the estimated cost per record affected by a breach is $355 – 44 percent higher than in the next closest industry, according to the Ponemon Institute's 2016 Cost of Data Breach Study: Global Analysis. In other words, health records are attractive to criminals, the healthcare industry is vulnerable to cyberattacks, and the cost of a healthcare organization recovering from an attack can be significant.
Any type of security threat to a healthcare organization can result in many significant legal and business implications.
For example, HIPAA2 requires notice to the Department of Health and Human Services Office of Civil Rights, affected individuals and sometimes even the media of data breaches including ransomware attacks. In some circumstances, OCR will investigate a breach to determine whether the breached organization was in compliance with HIPAA. The fines issued by OCR for HIPAA violations can be significant.
For example, in 2016, OCR issued a $5.55 million fine to Advocate healthcare for HIPAA violations related to three breaches that occurred over a three month period.
Victimized organizations are also at risk of being subject to lawsuits from patients whose information was compromised. In 2015, Anthem was the victim of a data breach that compromised the information of 78.8 million people. In June 2017, Anthem paid $115 million to settle lawsuits arising from the breach.
Data breaches can also significantly impede an organization's reputation and bottom line. Further, from a very practical perspective, a data breach can stop an organization from being able to provide potentially life-saving medical care.
Obtaining a HITRUST certification could be a smart move
It has never been more important for healthcare organizations to improve their cybersecurity protections, but it can be difficult to determine the best path toward stronger cybersecurity controls. While there are many cybersecurity standards that can help organizations generally improve cybersecurity and demonstrate the strength of their security controls to their business partners, The Health Information Trust Alliance, or HITRUST, is rigorous, tailored for healthcare and is receiving acceptance and recognition within the healthcare industry.
The HITRUST certification process is designed to not only consider HIPAA's legal obligations but to also provide additional guidance and detail about the security controls that organizations can implement to comply with applicable law, maintain reasonable security, and help better ensure the security of its data and systems. The Governance Risk and Compliance (GRC) software that HITRUST built enables organizations to tailor their cybersecurity programs to various regulatory and government requirements, including standards required or suggested by National Institute of Standards and Technology, Centers for Medicare and Medicaid Services, Payment Card Industry Data Security Standard, HIPAA, and state privacy laws.
First, the certification: HITRUST CSF evaluates an organization based upon 19 categories of control requirements, which range in number from the baseline minimum 131 requirements or up to more than 500 total requirements depending on the size, complexity of scope, and regulatory factors impacting an organization. Each control requirement is assessed based on five levels of maturity: (1) policy; (2) process; (3) implemented; (4) measured; and (5) managed. In order to obtain certification an organization has to meet all of the minimum requirements and achieve an overall score of 3+ for each of the control domains.
Second, it is important to understand how an organization is certified. Three parties are involved in an organization receiving a HITRUST Common Security Framework (CSF) certification: (1) the assessed entity, (2) the assessor (third party auditor), and (3) HITRUST Alliance (certification body). An assessor will work with an organization interested in receiving a HITRUST certification and would validate that the organization complies with all of the security requirements. The HITRUST Alliance then evaluates the assessor's analysis and report prior to implementing certification. The HITRUST Alliance provides consistency across all organizations seeking certification and the certification has credibility coming from an independent third party.
In today's cybersecurity environment, it is advisable for healthcare businesses to develop, implement and continuously improve their cybersecurity program. And it is important to have a way to prove that a cybersecurity program is reasonable and complies with HIPAA and any other applicable requirements. A HITRUST certification can help demonstrate the strength of a cybersecurity program to potential customers (as a business associate) or as part of regulatory investigations or civil litigation. If your organization does not have a third-party cybersecurity certification, the time to explore obtaining one is now.
Joe Compton, principal at Skoda Minotti Risk Advisory Services and Kathryn Hickner, co-chair of the healthcare practice group at Ulmer & Berne LLP contributed to this blog post.