As life becomes more and more digitized, a great deal of our private and sensitive information now exists online.
You know who else has access to the internet? Everyone.
This means that, though we’re told our information is secured, we’re storing it in a place more people have access to. Sure, your information may be locked in a safe, but that safe is being placed in the middle of a safe cracking store. Fact is, your digital information is more vulnerable than ever before. In a survey of 619 compliance, privacy, or IT security organizations (you know, the companies that should be the MOST secure), 52% of them had experienced a data breach of some sort.
Let’s simplify that… the odds of you correctly predicting a coin flip are less than a security organization having been victim to a data hack.
That’s not great.
There were over 112 million records stolen in 2015, affecting over one million individuals. In fact, since 2010, five of the eight largest healthcare breaches happened in 2015 alone. And 2016 is looking to be even worse. Much worse. In fact, there have been so many noteworthy hacks that we wrote an entire blog [hyperlink] on them. Let’s call this the Dark Ages of information breaches.
Fortunately, this era of private information being anything but will soon be ancient history, much like the Dark Ages themselves. The Renaissance is coming, and its heralded by HITRUST.
HITRUST? What is HITRUST?
As we’ve covered in a previous blog [hyperlink], HITRUST is digital security on steroids. Developed by healthcare and IT professionals, HITRUST’s (Health Information Trust Alliance) Common Security Framework (CSF) provides the most efficient set of rules, regulations, and practices ever developed to keep private health care information secured. With a detailed road-map and robust controls, all parties involved, from healthcare organizations to business associates such as vendors or billing outsourcing, not only have the understanding they need to manage the many healthcare information security compliance requirements, but also have the tools they need to fulfill them. A step above HIPAA’s standard security framework, HITRUST provides a comprehensive information security infrastructure and benchmark capable of managing multiple healthcare regulatory compliance requirements.
Boiled down? It stops these breaches from happening by acting as a sword and shield alike, giving armor where it is most needed while also providing a means to effectively defend itself.
HITRUST is more than a paradigm-shifting security standard, however. It’s actually changed the way the industry thinks, discusses, and deals the issues at hand. One of the biggest things that HITRUST has done for healthcare is create a dialogue and establish an effective forum by which to address, manage, and solve the complexities involved in protecting private health information (PHI). And, with the Summer of 2016 racking up some of the highest volume of breaches to date (over 20 million patient records were compromised — to include an NFL team’s info), HITRUST’s services and programs are more than welcome, and desperately needed.
These standards are not commandments scrawled in stone that cannot change, but a living, breathing ideal that adapts to the world and threats around it. It’s this malleability that makes HITRUST so powerful. It’s much more than talk, as well. In fact, it has already made constructive, tangible improvements to the healthcare industry as a whole with more changes on the horizon. Like what, you ask? Well…
8 Ways HITRUST
A presentation by granteffinger created with Haiku Deck, free presentation software that is simple, beautiful, and fun.
Newer, Better Rules for a Newer, Better Game
HITRUST developed the most comprehensive CSF ever conceived by which any entity that creates, accesses, stores, or exchanges personal health and financial information can manage risk and the breadth of compliance standards specific to the handling of healthcare data. This isn’t just for healthcare organizations, either, but every single company that works with them and handles this information. And since upwards of 30% of patient data breaches involve third-party associates, casting a net over the entire industry instead of simply one brand or vertical is more vital now than ever before. Security professionals, technology infrastructure, pharmacies, payment companies, IT networks and more… they’re all playing by the same rules.
Making an All-Star Team
Ask the Miami Heat: Sometimes, you just need some all-stars to make things happen. HITRUST partnered with the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS) to take a more active role in the fight against and managing of cybersecurity threats. This is the first partnership of its kind and is centered around the exchange of cyber threat indicators, stopping potential breaches before they occur.
One way they did this is through the establishment of the HITRUST Cyber Threat Intelligence and Incident Coordination Center — the most active cyber center in the health industry. Through information sharing agreements with HHS and DHS, HITRUST can identify industry specific cyber threat intelligence and coordinate industry incident responses to security breaches. Remember “Minority Report”, how crime was stopped before it even happened? The Cyber Threat Intelligence and Incident Coordination Center is just like that, minus the people floating in pods of water.
Building a Better Machine
HITRUST didn’t just invent the best process of safer health information exchanges. It wrote the manual AND trained the referees that keep the rules in place. The HITRUST Cyber Threat XChange (CTX) automates the process of collecting and analyzing cyber threats and distributes electronically formatted actionable indicators that companies of all sizes can employ to improve their cyber defenses. From malware and phishing protection to seeking suspicious domains masquerading as legitimate healthcare organizations, CTX helps protect the integrity of the electronic platforms that manage your personal information.
Open to Suggestions
According to nearly every LinkedIn article ever written, you should never stop asking questions. Just because HITRUST has built the most secure and all-encompassing information security platform ever doesn’t mean they know everything. In fact, they actively look to the industry at large for assistance. The Enhanced IOC Collection Program allows healthcare organizations of any size to anonymously contribute to the CTX and garner threat information and IOCs from the CTX with an approved Breach Detection System. It’s like a Neighborhood Watch that protects what’s on your medical chart. This community defense approach promotes a greater awareness of cyber-security threats to the healthcare industry and provides a more efficient way to disseminate threat information rapidly.
Helping the Little Guys
Realizing that healthcare cyber threats are not specific to larger organizations, HITRUST has helped small healthcare establishments, those with less than 75 employees, create and implement cyber-security plans that would be too expensive or otherwise impossible to implement beforehand. The solution, called CyberAid, addresses the growing cyber risks to healthcare and its protected information by providing smaller brands with cost-effective cyber security solutions.
Getting in the Know
You’ve heard the saying: Knowing is Half the Battle. That’s why HITRUST is dedicated to providing as much information as they can, helping others be prepared and able to identify possible data leaks. These quarterly Cyber Threat Briefings (webinars) better educate and inform health organizations on relevant cyber threat information. Additionally, HITRUST offers a monthly cyber threat report that discusses the latest industry specific threats, best practices for cyber defense and response, and techniques on how to identify early warning Indicators of Compromise (IOC) that can warn of an imminent breach. If the pen is mightier than the sword, than knowledge must be twice as sharp.
Playing with Live Ammo
It’s one thing to read about how to swim. It’s another thing entirely to be thrown into the deep end of a pool with someone yelling “SHARK!” It may not be pleasant, sure, but we learn better by doing. Further emphasizing their dedication to healthcare cyber-security, HITRUST partnered with HHS to sponsor industry-wide security exercises for the purpose of improving preparedness and responses to cyber-attacks intended to disrupt the nation’s healthcare operations. This way, if a breach does happen, we’ll be more readily able to handle it in an efficient manner.
More important than anything, HITRUST is in place to keep private information private. Being the victim of a health care breach can haunt a patient for the rest of their lives, as information included in records can contain incorrect information that may lead to an improper diagnosis or treatment, not to mention the headaches involved with identity theft in general. Yes, breaches are a nuisance for healthcare organizations, but it can ruin the lives of patients. Everything listed above is important, but perhaps more than anything else, HITRUST ensures that patients’ ailments are treated when they receive car, not exacerbated with additional problems.
These steps are just the beginning. With one in four cyber security attacks targeting the healthcare industry, HITRUST’s continued research, study, and innovation is not only helping protect your healthcare information, it is leading the way in how to protect it. Soon, HITRUST will become the standard in healthcare information security, as it already has in Texas. The Dark Ages will soon be behind us. If you want to protect your sensitive information for yourselves and your users, contact MailMyStatements today. A HITRUST certified organization, our billing solutions and patient statement services will help you save money, time, and more. Give us a call today and let us tell you how we can make your processes safer.
Read more at https://mailmystatements.com/
Mr. Hugh Sullivan is considered an industry thought leader and has spoken on numerous occasions at local, regional and national healthcare forums. He is currently a member of the HFMA and ACA International and has served as a board member of WEDI, a nonprofit organization focused on the use of health IT to improve healthcare information exchange.
Hugh has a BS, in Logistics Systems Management, from Colorado Technical University. He enjoys being a husband and father to his wife and three boys as well as occasional round of golf.