Health IT, MedCity Influencers, Health Tech

Why digital health companies should be HITRUST-certified

HITRUST is a framework for systematically managing digital security far above what HIPAA requires. Its stringency explains both why it can be daunting to implement and why no healthcare company should go without this certification.

When patients walk into a doctor’s office, they place trust in the provider to not only keep their physical body safe, but also to protect their private healthcare information. That sense of security is assured silently in the background, as healthcare IT professionals work tirelessly to protect the digital health landscape.

The healthcare ecosystem consists of a web of organizations that support medical providers, starting with the doctors’ offices and hospitals we all trust to keep our protected health information (PHI) safe. These primary organizations cooperate with a variety of third-party vendors, including digital health companies, to enhance the patient experience.

Third-party vendors are crucial in providing support services to patients everywhere, but not all of these businesses fall under the HIPAA umbrella and not all are obligated to comply with its regulations. In these cases, the primary organization must set the standard for its vendors through contractual language rather than all parties independently laddering up to one universal standard.

While patients may trust their provider, they are often not aware of the larger apparatus undergirding their healthcare experience. This implicit trust should compel health professionals that manage patient data to be proactively vigilant. Within healthcare, there is one gold standard for digital security that any organization can implement to ensure the highest security standards: HITRUST.

HITRUST is a framework for systematically managing digital security far above what HIPAA requires. Its stringency explains both why it can be daunting to implement and why no healthcare company should go without this certification.

More than HIPAA 

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. government to protect the electronic exchange, privacy and security of health information. HIPAA does not, however, provide a mechanism for protecting that information; it merely outlines the standard which should be kept. Without a HIPAA certification process or dedicated enforcement body, this legislation in action is left to interpretation and “HIPAA-compliant” is no more than a subjective statement.

Security-minded organizations recognize the need for standardization and accountability around these guidelines. As a result, an abundance of platforms, processes and regulatory agencies have emerged to secure protected health data. The HITRUST Alliance was formed as a response to this rise in security options with the goal of creating a systematic and comprehensive methodology any company could follow to ensure the security of their data across their organization.

HITRUST (formerly the Health Information Trust Alliance), a privately held organization based in Frisco, Texas, assures companies are compliant with both current and future security benchmarks through what it calls a common security framework (CSF). The HITRUST Alliance offers certification in this framework to differentiate compliant organizations. The robust nature of its methodology has not only made HITRUST CSF certification the industry standard, but it is now required of most primary healthcare organizations.

HITRUST’s importance across the healthcare ecosystem becomes particularly relevant considering recent escalations in cybercrime, especially since the onset of Covid-19. Ransomware attacks on healthcare organizations have specifically risen, with one analysis reporting a global increase of 45% in the healthcare sector since November 2020, compared to only 22% in other sectors. In a health ecosystem increasingly reliant on digital systems, we are more vulnerable than ever to cybercriminals who are either seeking individual data or to hold data for ransom.

HITRUST certification may seem like the obvious way to protect everyone, yet many third-party health companies have not yet adopted it. The answer as to why begins with understanding what it means to be HITRUST-certified.

Benefits of rigor

HITRUST certification is set apart by its rigor. The Alliance is a consortium of cybersecurity expertise that constantly evolves as technology and security threats become more advanced. There are over 150 controls (or requirements) HITRUST evaluates as part of its certification process that need to be maintained and updated regularly for a company to keep certification.

Getting certified

Certification begins with a comprehensive audit that can take months or longer and consists of a revolving door of questions, answers, evidence collection and clarification. Policies and procedures need to be documented and evidence shown for encryption and other security markets for critical covered systems.

HITRUST requirements are associated with categories of focus such as endpoint protection, access control, network protection and auditing and logging. If there are gaps in meeting requirements, a health organization won’t receive a stamp of approval. Anything new must be in place a minimum of 90 days before a control can be met, thus potentially impacting certification and action plans.

Once the audit is complete, gaps in security are identified. A corrective action plan (CAP) must be put in place to proceed with certification. For example, if the auditor identifies that you do not have a documented policy for contractors with minimal access to your server, a plan for creating that policy needs to be established and progress toward the goal reported up as outlined by the CAP.

The audit and the following CAPs are managed by a HITRUST-approved auditor, hired by the company receiving the certification. The HITRUST Alliance performs a quality assurance review of the audit, spot checking the work as needed.

These layers of review ensure a high standard and require a significant amount of time and human effort. And once certification is granted it does not stop; continual maintenance is required, including quarterly reviews of security, ongoing security training across all ranks of employees, and testing of business continuity and disaster recovery plans, to name a few.

There are clear reasons many companies don’t take on HITRUST certification, if not legally required to have it. There are both budgetary and human resource costs that create barriers to entry. But considering the fallout if your company or partners suffer a security breach, the upfront cost seems worth it every time.

Creating better partnerships

In addition to having peace of mind about security itself, there are logistical advantages to being a HITRUST-certified healthcare vendor. For clients of these vendors, particularly pharmaceutical companies, payers and providers, HITRUST is a stamp of approval, signaling the quality of the vendor. Any company that commits to that level of rigor is going to stand by its product and apply the same degree of investment in its services.

HITRUST-certified vendors are easier to onboard and integrate into a client’s workflow. HITRUST reduces the burden of due diligence as certification ensures best practices around digital security. If a partnership requires integrating an electronic health record (EHR), HITRUST simplifies the marriage and eases the workload of the client integrating the new service.

At the end of the day, HITRUST infuses confidence in a potential partnership and helps new programs get to market faster.

It is imperative that digital health companies not only earn the trust of clients and their patients, but proactively hold to the highest standards possible. HITRUST certification helps organizations do exactly that. Without that level of trust, the integrity of the system is at risk.

Photo: Traitov, Getty Images


Avatar photo
Avatar photo

Jim Farrell

Jim Farrell is the Chief Technology Officer at HealthPrize, a digital health company that builds solutions that help patients start and stay on their prescribed medications and improve health outcomes.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Shares1
Shares1