Recently, I was surprised to see a handful of online posts from vendors and consultants about HITRUST, voicing opinions that don't quite match up with my understanding and experiences. The questions raised and inaccurate claims made showed me that there's still a lot of misinformation and misunderstanding about HITRUST.
To understand where we are today, it's important to know where HITRUST came from. After HIPAA was passed into law in 1996, the following decade or so was a confusing, disorganized morass in which the HIPAA Security Rule did not provide prescriptive measures for covered entities (CE) and business associates (BA). Basically, these organizations were given the flexibility to implement comprehensive information security programs and analyze their own levels of risk — something many healthcare organizations had no experience with, so even those who did have programs had ones that were significantly less robust than they needed.
In 2007, leaders within the healthcare field — including CIOs, security and privacy officers from leading healthcare providers, insurers and vendors — came together to solve this problem. HITRUST initially developed an information security framework with the intentions of creating an industry standard, including control baselines so an organization could make their own choice based on their unique needs. Originally referred to as the HITRUST Common Security Framework (CSF), the CSF was developed specifically for healthcare — designed to be scalable, customizable and capable of providing certifiable risk assurances.
Today, the HITRUST CSF is the most widely adopted information privacy and security risk management framework among healthcare organizations in the United States. In addition, many organizations outside of the U.S. have also implemented the HITRUST CSF.
Naturally, there are always questions and concerns about paradigm-shifting approaches — especially when it concerns information security and privacy. Every day seems to bring more risk and news stories about hacks and breaches. So it makes complete sense for a group of experts to lead the charge and collaboratively build a security framework that can benefit the entire industry.
With that said, here are a few of the issues that I saw being discussed online — and my take on them:
Misconception #1: The HITRUST approach is too expensive — costing excessive money, time and resources.
Some people forget how things used to be — when "doing it yourself" was expensive and time-consuming, usually with poor results. While a company usually starts with an inexpensive HITRUST self-assessment, that's just the first step.
The costs of a HITRUST-validated assessment are commensurate with a third-party assessment; and if you perform a comprehensive assessment of any type, the costs should be roughly equivalent. Although in many cases, the overall information privacy and security assessment costs can be substantially less because of the assess-once, report-many approach supported by the HITRUST CSF Assurance program. The alignment between the HITRUST CSF and CSF Assurance programs allows a single CSF Assessment report to support multiple objectives (such as a HIPAA risk assessment or an assessment against the NIST Cybersecurity Framework), and this same report can be accepted by multiple external parties (business partners, government agencies, etc.) — reducing the costs associated with multiple assessments.
In addition, a HITRUST CSF assessment will identify which controls will be evaluated and provide illustrative assessment procedures, which allow for better preparation — and potentially reducing costs. In addition, an organization can get a HITRUST CSF Validated report and a SOC 2 report based on one assessment, making the costs substantially less than doing two separate assessments.
Of course, determining the ultimate value of a HITRUST CSF Assessment centers on the peace of mind found after going through the process — and knowing that a breach can cost millions of dollars. Also, what are the other options that would be comprehensive, relevant and consistent, while offering the needed transparency?
Comparatively, the costs of the HITRUST approach are negligible. It might seem reductive to say, but the age-old question must be considered: "How much are you willing to spend for peace of mind?" Of course, more bottom-line-focused professionals simply have to look at the return on investment (ROI) to see the true value.
Misconception #2: It's unnecessarily burdensome to implement the HITRUST methodology.
As I mentioned above, the "old way" of establishing your own information security program was both undirected and cumbersome, costing tremendous amounts of time and money. To be sure, implementing the HITRUST CSF at my company took effort.
But all of us at Datica understand the importance of comprehensive risk management, and chose HITRUST to help us train for a higher level of information security and create the optimal organizational structure.
While the assessment required significant time and resources to complete, the ability to satisfy multiple assessment and reporting requirements saved us both time and money in the long run. (Based on our experience, we also recommend designating a team member as the internal subject matter expert.) We truly believe it's more than worth the effort.
One of my esteemed colleagues, Lee Penn, is the CFO and Chief Compliance Officer at PDHI — a SaaS company that develops and distributes the ConXus Platform for delivering workplace wellness and population health management programs. Lee — also a member of the HITRUST Business Associate Council — noted that his company had a similar experience to ours. He said that while it was time and resource-intensive — particularly so, as it was the first third-party attestation that PDHI had ever sought — they're a better company, with a more effective information privacy and security program for having made the effort to achieve certification under the HITRUST CSF. It's now part of the PDHI culture — and the resources they now save by not having to undergo repetitive assessments easily offsets the ongoing costs of maintaining the certification — while heightening PDHI's trustworthiness to its clients.
While other methodologies use a simplistic and non-prescriptive "red/yellow/green stoplight" and costly, unique questionnaires — which most would agree provided too much wiggle room with compliance — HITRUST's more sophisticated scoring model provides better accuracy and precision than a checklist approach, and subsequently better assurances about the state of an organization's information protection, whether for use internally or by a third party.
Misconception #3: The results and efficacy of the HITRUST approach are questionable.
Quite simply, nobody else reaches the level of quality assurance for third-party assessments as those conducted by HITRUST Assessors. And organizations now have over 50 assessors (a number that continues to grow) to choose from, so users can "shop around" and take advantage of free market dynamics to find one that meets their specific needs.
I was recently speaking with Pamela Arora — senior vice president and chief information officer at Children's Health in Dallas — who has seen the same benefits from her organization's efforts as my own company. She observed that with the threat landscape continuously evolving, we must continue work to ensure our security programs protect patient and organizational data from end to end, because you're only as strong as your weakest link. Protecting data, she noted, is one of their highest priorities; therefore, if a partner goes through the third-party certification with HITRUST, they're able to be more confident that the organization's security posture is not eroded, since they know the partners also meet CSF security requirements.
Pamela recognizes that challenges exist. In some instances, an organization's culture may initially be resistant to pursuing certification, but with continued encouragement from the industry — and demonstration of the value in CSF certification — they're confident that potential resistance will ultimately melt away.
Clearly, the widespread adoption of the HITRUST CSF — which is used for everything from a "best practices" reference to the basis for a certifiable information protection program — demonstrates that the HITRUST approach works. If that's not enough evidence, a recent review by Allied World U.S. stated that "organizations that had obtained a HITRUST CSF Certification posed lower cyber-related risks than those organizations that have not."
Misconception #4: Making HITRUST certification a requirement is unfair.
This complaint really confuses me — and I'm a vendor. There are many good reasons why organizations are requiring a HITRUST CSF certification of their business associates, and most of them positively benefit the business associates. Covered entities have been expanding and enhancing their information protection since passage of the HITECH ACT — a trend which has only been exacerbated by recent statistics on 3rd party-related breaches.
The result has been an increase in the number of requests for assessments or other forms of assurance — which are often different from one covered entity to another, and subsequently add cost and complexity to the healthcare system. Fortunately, this trend has been recognized by a growing number of covered entities, who have seen resources distracted from their own information protection programs to perform and evaluate assessments of their vendors and other business associates.
For organizations that have a strong information privacy and security program, undergoing a HITRUST CSF assessment is not a difficult process — and those that aren't committed to stronger privacy and security were not going to hide from a comprehensive assessment regardless. This way, they have a smart option that can be used more broadly across the industry. In fact, that's one of the roles of the HITRUST Business Associate Council — to ensure that vendors are fully engaging in the process and working more broadly with the industry (and even across industries) to ensure the HITRUST CSF Assessment reports are accepted.
The bottom line: Together, we can make things better.
Building industry consensus on information protection methodologies and standards is what the HITRUST Alliance is all about. It takes experienced, respected professionals to lead the way for improvements in any industry, and healthcare is no different. Professionals from every corner of the industry have provided — and continue to provide — their valuable time and insight. HITRUST welcomes active participation in its committees and working groups, and constructive feedback through its comment process from anyone in the field who would like to share their ideas for the betterment of us all.
The truth is that we're all in this together, and our common goal is the common good — protecting individually identifiable healthcare information. At every level, our industry has to embrace the shift to digital management of healthcare information, understand the risks involved in this change, and take appropriate steps to manage them. By working together, we can all focus on creating practical, reliable ways to improve security and minimize risk. In my view, HITRUST has taken a leading role in improving the state of information protection in the healthcare industry and is doing so efficiently and effectively.