Should BAs Be HITRUST-Certified?Some Covered Entities Requiring Vendors Earn Certification
The Health Information Trust Alliance is touting that a growing number of HIPAA covered entities, including health insurers Anthem Inc., Health Care Services Corp., and Highmark Inc., are requiring their business associates to become certified as compliant with HITRUST's Common Security Framework within 24 months.
Some security experts say the move could make it simpler and more streamlined for covered entities to monitor and vet their business associates as part of a risk management strategy. But others say the HITRUST certification is no guarantee of a solid security strategy. And they point out that organizations can consider several other viable security frameworks.
HITRUST CSF is a common risk and compliance management framework designed for use by any organization that creates, accesses, stores or exchanges personal health and financial information.
Improving BA Monitoring
Health Care Services Corp. decided to require its BAs to earn HITRUST CSF certification so the insurer can better determine that its vendors are taking specific measures to safeguard patient data, says the company's CISO, Ray Biondo.
While HCSC already audits vendors for data security, the process is costly and time-consuming, Biondo says. By requiring all its BAs to obtain HITRUST CSF certification within the next 24 months, the insurer will be able to more cost-effectively assess its BA's efforts, he says.
"Everyone is going to these vendors and asking about their security. Instead of dealing with hundreds of security questionnaires ... let's use common sense and make it easier for the BAs," he says.
Trent Gavazzi, senior vice president and chief technology of Availity, a vendor that provides network services for healthcare providers and insurers, says that if more covered entities require their vendors to earn HITRUST CSF certification, it will "hopefully take away some of the burden of everyone having their 18,000-question security questionnaires." Availity has been CSF certified for several years, he notes.
Business associates are a major culprit in health data breaches. A June 30 snapshot of the Department of Health and Human Services' health data breach tally website indicates that business associates were involved with 277 - or about 22 percent - of the 1,257 breaches impacting 500 or more individuals since September 2009.
Protecting Patient Data
But HITRUST CSF compliance certification, or even HIPAA compliance, don't necessarily guarantee an appropriate security strategy for safeguarding patient data, some security experts caution.
"Anthem is HITRUST-certified, but what did that mean?" asks security expert Mac McMillan, CEO of the consulting firm CynergisTek, referring to the hacking of the insurer, which resulted in a breach impacting nearly 80 million individuals.
"Certification and compliance don't necessary make you secure," he says. "I don't agree with [using] one framework over another. What we want is for folks to recognize a minimum standard for a trusted environment that people need to meet when they connect their health systems."
Allen Briskin, senior counsel of law firm Pillsbury Winthrop Shaw Pittman, points out that in addition to HITRUST, several other organizations offer security governance frameworks. Those include, for example, the National Institute of Standards and Technology and the International Organization for Standardization.
HITRUST points out, however, that its framework "harmonizes and cross-references existing, globally recognized standards, regulations and business requirements, including HIPAA, HITECH, NIST, ISO, PCI, FTC, COBIT and state laws."
Information Security Media Group's recently released 2015 Healthcare Information Security Today Survey found that 53 percent of healthcare organizations use the NIST governance framework as the basis of their information security programs, while 32 percent use a hybrid approach. Some 25 percent said they use the HITRUST CSF framework, while 25 percent use the Information Technology Infrastructure Library. (Respondents could select more than one answer.)
Security expert Tom Walsh, founder of consulting firm tw-Security, believes that covered entities' efforts to require BAs become certified as HITRUST CSF compliant could meet with resistance because many covered entities, themselves, are not certified as compliant.
"As of today, none of my customers are HITRUST certified," he notes. "One large healthcare system with 20 hospitals that I worked with in the past has considered becoming HITRUST certified sometime over the next two years, but nothing yet."
HITRUST declined to provide an estimate of how many covered entities are requiring their BAs to get HITRUST CSF certification. It also would not disclose the total number of organizations, both covered entities and BAs, that have achieved certification so far.
Briskin, the attorney, says covered entities that decide to require that their business associates obtain HITRUST CSF certification don't necessarily need to modify their BA agreements. Instead, they can use the certification as a way to weed out vendors as contracts expire. "You don't need to put this into BAAs. But vendors could voluntarily get the CSF certification as a way to get business," he says.
Attorney Stephen Wu of Silicon Valley Law Group says that while covered entities can try to add CSF certification as a requirement to their BA agreements with third-party vendors, "there's nothing under the law that would require all vendors get this certification." In any case, market pressure could make some BAs acquiesce. "Customers have the money, so they have the clout," Wu notes.
HCHS' Biondo says he expects that certain larger vendors will resist a requirement to obtain HITRUST CSF certification. That's because those vendors' market dominance give them more leeway to pick and choose whether to accommodate specific security demands from particular constituents of clients in specific sectors.
Nevertheless, Microsoft plans to undergo an assessment based on the requirements of the HITRUST CSF for the vendor's Office 365 products. "The HITRUST CSF allows healthcare organizations to gauge their - and their business associates' - information security programs' maturity across a spectrum of assurance levels that go beyond HIPAA level requirements," says Mohamed Ayad, a Microsoft industry specialist for U.S. health and life sciences.
Gavazzi of Availity acknowledges that achieving HITRUST CSF certification won't be easy for many business associates. "A significant majority will not be ready to do this, and will be caught flat-footed," he predicts. That's because many organizations, especially smaller vendors, "don't have the resources to do this," he contends. Not only must organizations meet the CSF requirements, but they also need to be audited by a third-party before they achieve certification, and then they must be recertified every other year, he notes. "The bar gets raised every year," he says.