More and more healthcare organizations are discovering that HITRUST certification is critical to their success. While it’s not mandated, many providers and payers require their vendors be HITRUST certified. Because of the rigor of the process, certification also offers a competitive advantage for organizations that attain it.
Although HIPAA and HITRUST are often used interchangeably, they are different. While everyone talks about HIPAA compliance, there is no HIPAA certification or accrediting body. The HITRUST Common Security Framework provides a comprehensive certification process that makes it easy to meet and manage HIPAA (and other) standards.
However, while HITRUST makes it easier to manage security, the certification process is anything but easy. It can be long and costly and can distract teams from other responsibilities and goals. Choosing the right cloud provider can accelerate the process by up to 50%, reducing your overall cost, including the investment of internal resources.
HIPAA VS. HITRUST
Though related, HIPAA and HITRUST are distinctly different. Following HIPAA regulations does not make you HITRUST certified, and HITRUST certification doesn’t necessarily mean you’re HIPAA compliant.
Every organization doing business in the healthcare industry is aware of the need to follow HIPAA (Health Insurance Portability and Accountability Act) privacy and security regulations. However, while HIPAA rules and regulations specify how patient data, known as Protected Health Information (PHI), can be used and how it should be safeguarded, there is no HIPAA certification.
What is HIPAA?
For any organization in or around healthcare to be considered HIPAA compliant, it simply must attest that it is – that it’s taken the proper measures and put the right security controls in place to protect patient data.
The lack of a certification process and accreditation poses two significant problems:
- Anyone can claim to be HIPAA compliant. While a third-party assessor can validate that current controls and regulations are being met, it’s not required, and there are no officially recognized HIPAA bodies.
- Maintaining HIPAA compliance is incredibly challenging, since there is no accreditation framework updated alongside the ever-evolving HIPAA standards.
The HITRUST Common Security Framework (CSF) provides healthcare organizations a comprehensive, standardized, and certifiable framework for complying with HIPAA and other regulatory standards. It covers 1800 controls across numerous regulatory bodies, including NIST, FTC, SOC 2, GDPR, and ISO/IEC 27000.
What HITRUST CSF Covers
Based on the organization, its technology, and the data it handles, a HITRUST assessor determines which regulations and controls are needed for certification.
HITRUST also makes it easier for organizations to manage ongoing HIPAA compliance. As the standards evolve and change, the HITRUST CSF is updated to reflect those changes. Because HITRUST certification must be renewed every two years – with an intervening mid-cycle mini-assessment that spot-checks continued compliance – certified organizations are assured of always being up to date with current compliance and security standards.
The Benefits Of HITRUST Certification
Organizations often think of HITRUST certification as something they have to do. But because of the significant benefits involved, it should be something they want to do.
HITRUST Protects Your Business
Healthcare organizations and their data are under constant threat –ransomware attacks on healthcare organizations will quadruple by 2020 – in part because the average medical record sells for ten times more than credit card information. And an attack can have devastating consequences – 60% of SMBs that suffer a cyber attack will be out of business within six months.
HITRUST certification ensures you always meet current, comprehensive cybersecurity standards, so you have the controls in place to withstand attacks and prevent a breach.
HITRUST Offers A Competitive Advantage
Achieving HITRUST certification isn’t easy. It’s a high bar, so for businesses that attain it, certification is an appealing differentiator and selling point.
In a security-conscious industry such as healthcare, customers want assurance that the highest security standards are being met and maintained. HITRUST certification provides the highest possible level of trust and peace of mind.
The Challenges Of HITRUST
HITRUST certification is valuable and worth the effort, but like most things of value, it doesn’t come easily. Because of the rigor of its framework, achieving HITRUST certification is challenging.
The path to HITRUST certification is especially difficult for organizations that attempt to handle it in house. HITRUST certification is complex, and it requires deep expertise and experience. For organizations that tackle it themselves, the process usually incurs steep costs, including:
- Time: The certification process, if not guided by experienced HITRUST experts, can take up to two years.
- Resources: Substantial internal resources must be devoted to the process, distracting your team and diverting energy from innovation and growth.
- Price/budget: HITRUST is an investment with immense ROI. However, that investment can balloon when inexperienced teams are charged with leading certification and, invariably, errors occur, timelines are extended, and valuable resources are wasted.
The Cloud Can Accelerate HITRUST Certification
To be clear, there are no shortcuts to HITRUST certification. That’s why it’s so important to the industry and valuable to organizations. However, there are ways to accelerate the certification process while reducing complexity and cost.
One way is to move to the cloud, which allows you to use code to automate infrastructure management and immediately satisfy specific controls tied to HITRUST certification. That can’t be done in a physical data center environment, where those issues have to be addressed manually.
However, not every cloud partner has the ability to create the code necessary for such automation, or do it equally well.
For example, while one partner may be able to automate for 20 controls, another might have code for 200 controls. If your HITRUST certification only needs 400 controls, you’d meet half of the requirements right away by using the second partner’s platform. This can accelerate the certification process by up to 50%, not only shortening your timeline but significantly reducing the cost and resources required.
When choosing a HITRUST cloud partner, look for:
- HITRUST certification
- Years of experience working with healthcare organizations in a cloud environment
- Credentials and accreditations
- Number of clients that have achieved HITRUST
- Number of HITRUST controls the platform satisfies automatically
- Innovations that streamline the HITRUST journey
HITRUST certification is incredibly valuable for organizations within the healthcare industry. Those that achieve certification not only earn a competitive advantage, they enjoy peace of mind knowing they’re meeting the highest possible standards for cybersecurity.
While certification comes with challenges, finding the right cloud partner can drastically reduce the cost, complexity, and timelines associated with HITRUST certification. Being part of an expertly guided, accelerated process enables you to continue to focus on innovation and growth while allowing to get the benefits of HITRUST more quickly.
