The term HIPAA Compliant is widely used by many healthcare organizations and cloud vendors. But it begs two questions, what constitutes HIPAA Compliance, and is HIPAA Compliance enough? While compliance is important to the healthcare industry, there is enough ambiguity in the HIPAA regulation that compliance can be interpreted differently by every vendor, whether it is the need for data encryption, how log collection and review is managed, or user authorization and authentication standards. And HIPAA Compliant does not necessarily mean the environment is secure. Compliance without the right security is a formula for potential trouble. More specifically, how can you have confidence that your vendor is truly compliant?
The challenge is differentiating a truly HIPAA compliant vendor from those that claim full compliance and security, but may not meet the level of compliance healthcare companies expect. This need for consistency and the assurance of HIPAA compliance that truly provides a secure computing gave birth to HITRUST.
HITRUST: The Framework
HITRUST (Health Information Trust Alliance) was born out of the belief that information security should be the core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.
HITRUST, in collaboration with leading healthcare, technology and security organizations, established the HITRUST CSF (Common Security Framework). CSF can be used by all organizations to guide them in selecting and implementing the appropriate controls to protect the systems that create, access, store or exchange personal health and financial information. HITRUST provides a process by which companies using the CSF framework can be verified and audited against a common standard.
The HITRUST CSF provides organizations with the needed structure, detail and clarity relating to information security controls tailored to the healthcare industry. The CSF is available through HITRUST Central
https://hitrustalliance.net/hitrust-csf/ or with a subscription to MyCSF, a web based solution for performing assessments, managing remediation activities, and reporting and tracking compliance.
HITRUST: The Industry Standard
HITRUST is governed by a Board of Directors made up of leaders from across the healthcare industry and supporting business associate companies. These leaders represent the governance of the organization, but also comprise the leadership to ensure the framework meets the short and long term needs of the entire industry.
So, if a health care company is considering moving all or part of its IT department to the cloud and it has been adhering to HIPAA or HITRUST standards internally, what should be considered before the move of ePHI data into the cloud? Does HITRUST even certify cloud infrastructures and services? That answer is a resounding YES
Unlike compliance with HIPAA, FFIEC, and other governmental regulations that have no official certification per se, HITRUST does indeed offer a certification (CSF certified) to assure those doing business with the cloud service provider that it is HITRUST compliant. HITRUST is the way to certify and ensure that you are HIPAA Compliant. Because HITRUST is built on the ISO 27001 standard and incorporates features from PCI, COBIT, NIST, and FTC, among other standards, the HITRUST certification provides a strong base for meeting compliance with these standards as well.
6 reasons why it’s important for your cloud provider to be HITRUST certified:
- HITRUST is the highest level of certification that healthcare organizations can trust
- HITRUST will reduce costs and complexity through the adoption of a common set of security objectives and assessment processes
- HITRUST takes a proactive approach by building a quality and ever-improving security defense which reduces the need for resources to constantly react to new security requirements or audits
- HITRUST CSF (common security framework) is established and accepted within the healthcare community and their business partners
- Healthcare organizations who support HITRUST guidance and oversight can realize the benefits of a single complete risk and compliance review
- Multiple regulations and standards are harmonized across the HITRUST CSF, making it the pinnacle of verified trust.
All of this is important as companies are considering moving workloads to the cloud. The key is cloud providers ENABLE you to be able to be complaint, but in it of itself, they don’t have the environment set up to be compliant. That responsibility rest with companies looking to adopt the given cloud platform. There is work to be done to make the cloud meet the security and compliance requirements of HIPAA for example.
So, keep it simple and ask the cloud provider the question
“Are you HITRUST certified”
About the author
Ed Don, Senior level Sales & Management Executive, Lumen21 is a Senior level professional with a demonstrated track record of successful business development, strategic/tactical management and a strong/sustainable history of revenue and profitability success. He has cross-functional knowledge of core business processes, including technical services operations & sales, accounting & finance, sales & marketing, and human resource management.