I had the privilege of being asked to speak at the HITRUST Annual Conference this week. In addition to being amazed at the quality of leadership this conference attracts, I noticed a few recurring themes:
There are a lot of compliance and regulatory frameworks out there. HITRUST, SOC, ISO 27001, COBIT, NIST, HIPAA, GDPR are only a few of the alphabet soup that is global compliance today. Maintaining separate, current accreditations from all the common compliance bodies is out of reach for all but the largest organizations. However, many of the controls are actually common across the various frameworks, but to date it's been difficult to convince each accrediting organization to accept audits from anyone but their own assessors.
This began to change two years ago, when HITRUST and EHNAC announced a streamlined accreditation process designed to allow HITRUST certified organizations to use their Common Security Framework (CSF) controls toward EHNAC certification. We're seeing more industry focus on mapping controls across frameworks, simplifying reporting, attestation, and implementation. There's quite a bit more work to be done, but this crosswalk effort has been underway for several years.
In 2015, the HITRUST Alliance reported that over 7,500 healthcare organizations require their vendors to achieve HITRUST certification. This list includes major players such as Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group. This continues today, with last month's announcement that an additional group of providers established the Provider Third Party Risk Management Council and now individually require their vendors to achieve HITRUST certification within two years. With significant providers on-board, including Tufts Medical Center, Cleveland Clinic, Allegheny Health Network, and UPMC, it is clear that attesting to a compliance framework is critical for the future of organizations servicing the healthcare industry, and that HITRUST CSF seems to be establishing itself as the de facto mechanism to do so.
As if the myriad of available compliance frameworks and attestation bodies isn't complicated enough, the emergence of cloud computing in all its various forms, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS) makes it even more difficult to attest to a compliance framework, as it introduces the concept of shared responsibility.
In a legacy IT environment, organizations held all their software and data in their own data centers. They had full control over all control domains, including physical, environmental, patch & configuration management, awareness & training, and applications.
The world looks decidedly different today. Office 365 and Google G Suite reign supreme for document management and communication, moving huge swaths of information to outside data centers. SaaS players such as Verge Health and Valant are redefining the boundaries of PHI management, as significant identifiable personal health information is being shared across multiple organizations. The advent of public cloud providers such as Amazon Web Services means that many organizations don't even have data centers anymore, rendering 100% of their PHI under the stewardship of outside organizations.
The industry is grappling with expanding existing compliance frameworks to deal with this new reality of shared responsibility. HITRUST recently launched its HITRUST Shared Responsibility Working Group to provide a prescriptive mechanism of ensuring CSF controls are applied at a macro level effectively across a variety of organizations, with clearly defined responsibilities at a micro level to ensure risk is mitigated in this significantly more complex new world of IT.
I was thrilled to see the level of focus and dedication on ensuring adherence to compliance frameworks are being required across the healthcare industry, simplifying the mapping across the various frameworks, and addressing the new reality of shared services. Risk mitigation is becoming increasingly important as our world becomes ever more digital.
Stay tuned while Cloudticity makes some major announcements in the coming months related to helping our clients remain compliant with the HITRUST CSF. In the meantime, visit us on the web, or leverage our free, fully automated HIPAA technical assessment as a great way to chart your path toward HIPAA compliance.