Stop the Bleeding: 5 Ways HITRUST Prevents Breaches & Saves Millions
Healthcare data breeches are scary… scarier than you might think. Our health care records contain highly sensitive information, including personal health details and private billing data. And yet, despite how closely guarded this information should be, nearly 17,000 pieces of protected health information (PHI) are breached every day.
That’s just about twelve every minute, meaning there’s been numerous breaches since you started reading. Furthermore, on average, that means over half a million accounts are breached on a monthly basis. Wyoming has a population of just over 580,000, which equates to nearly the entire population of Wyoming in data being lost every month. Healthcare cannot afford to bleed private medical information. Worse yet? The bleeding is getting worse. And it’s costing billions.
Over 90% of major healthcare organizations suffered a data breach within the past two years. You can read the details here. That breaks down to $6.2 billion dollars in damages. 11 million patient records were breached in June of 2016 alone, making it the worst month for information security in an already bad year. Even NFL teams have been victims to health care data breaches, with thousands of players’ records stolen in April of 2016. It’s not just the big guys either. The organizations that are most to susceptible to a criminal attack, unfortunately, are often the least likely to have the resources needed to address cyber threats and keep their patient data safe. That’s not good.
But why is this happening? The reasons are numerous, but here’s a quick summary.
- Information is not secured: 74% of mobile medical devices are not encrypted. Only 21% of BYOD devices are scanned before connecting to a network.
- Users are uneducated. 47% of healthcare providers are not confident in themselves to keep patient data secured, even though over 91% of them use some sort of cloud-based service.
- Technology moves too fast. By the time standards are adapted by providers, new threats will develop and even newer standards will be required. That’s why, despite record losses in 2015, 2016 looks to be even worse.
Simply put, healthcare data breaches are far too common. So how do organizations address the challenge?
Learn more about HITRUST.
Remind me again… what is HITRUST certification?
As we’ve discussed in our previous blog [hyperlink], HITRUST is a comprehensive and verifiable security framework for healthcare organizations. It was developed by healthcare and IT professionals to address risks associated with information security. HITRUST’s (Health Information Trust Alliance) Common Security Framework (CSF) provides a robust and detailed roadmap and features controls necessary for managing the many healthcare information security compliance requirements outlined by state and federals laws as well as other standards and compliance organziations. While HIPAA requirements provide a framework for healthcare security and privacy, HITRUST goes well beyond that by identifying specific business practices, processes, and systems and insures they are implemented through a certified third party that actually goes on-site to investigate, interview, assess, and validate evidence of proper implementation and compliance. There is a big difference between an organization that self-assesses their operations and calls themselves HIPAA compliant vs. an organization that has completed a HITRUST self-assessment, provided evidence of implementation of literally hundreds of requirements, and then had each individual requirement investigated and approved by a certified auditor and ultimately HITRUST.
Do I need HITRUST certification?
It’s not a requirement, but if you are trusting third-parties or vendors with sensitive information you probably don’t want to take any chances. You don’t need a lifejacket every time you get on a boat, and you don’t need a seat belt every time you ride in a car, obviously we know these preventive measures save lives. If you are ever in a situation where you have to respond to a data breach incident, be assured, you won’t want to do it again. With the trends in data security, HITRUST will soon become the industry standard for verifying an organization’s ability to effectively handle sensitive information. Below are five reasons why HITRUST is becoming necessity for healthcare information processing companies.
What are the benefits of HITRUST?
- Prevents data exposures
- Combats against attacks
- Establishes industry-wide reliability
- Promotes transparency
- Builds trust
1. Prevents Data Exposures
When PHI get breached, it’s more than just an invasion of privacy.It costs organizations time, money, and their reputation.Millions of individuals have their personal data compromised each year, resulting in billions of dollars spent on remediation, fines, and penalties
HITRUST ’s robust controls help organization’s identify risks and prevent compliance issues.
2. Combats Against Attacks
The leading cause of data breaches are deliberate, malicious attacks from hackers. Check out this list of breaches affecting 500 or more individuals. Look under “Type of Breach”. See a pattern? These aren’t dumb people, and they capitalize on dumb mistakes.
One of the most prominent tools in a hacker’s arsenal is Ransom-ware, malicious software that blocks access to a computer system or certain elements of a system until a ransom is paid. Just like a typical ransom, even when payment is delivered, a safe return is not guaranteed. Even worse than real-world ransoms? The attacked never has to set foot near the site of the breach. With cyber crime at an all-time high, the use of ransom-ware by hackers increasing, and networks under constant attack, something must be done. HITRUST takes into account the many reasons for breaches and addresses processes and security measures to reduce exposure and risk.
3. Establishes Industry-Wide Reliability
HIPAA is a great foundation. I am sure all of the organization’s that have experienced data breaches were “HIPAA complaint”. HITRUST goes beyond this with a comprehensive security framework that is audited, certified, and verifiable.
4. Promotes Transparency
HITRUST CSF (Comprehensive Security Framework) is a standardized approach for healthcare organizations to follow in mitigating information security risks. When an organization tells another, they are HITRUST certified in the healthcare industry, that entity can be assured of the level of information protection being utilized. The CSF makes it easy for an organization to understand and verify another organization’s stance and status as it relates to healthcare information security.
5. Builds Trust
When it comes to HITRUST, all you need to know is in the name. With media reports of security breaches undermining consumer confidence regarding the handling of PHI, organizations need to know they can trust their vendors, patients need to know they can trust healthcare provides, and members need to know they can trust their insurance companies. HITRUST is not only a means for an organization to insure they are handling information properly but also a way to convey trust to the parties they do business with.
How do I become HITRUST certified?
HITRUST certification is a long, costly, and comprehensive endeavor. While the benefit of HITRUST is to help insure an organization’s stance on information security, it may not be feasible for some organizations to invest in the certification. Depending on the type of organization, it may make more sense to rather rely on vendors that are HITRUST certified. If you are entrusting sensitive information to a third-party how do you really know the information is effectively protected? MailMyStatements is one of the first healthcare and patient billing and payments services to become HITRUST certified, and is trusted by healthcare clients nationwide. To learn more about our services please request a demo today.
Read more at https://mailmystatements.com/
Mr. Hugh Sullivan is considered an industry thought leader and has spoken on numerous occasions at local, regional and national healthcare forums. He is currently a member of the HFMA and ACA International and has served as a board member of WEDI, a nonprofit organization focused on the use of health IT to improve healthcare information exchange.
Hugh has a BS, in Logistics Systems Management, from Colorado Technical University. He enjoys being a husband and father to his wife and three boys as well as occasional round of golf. twitter @hughdsullivan