Today's risk management reality
Serving the healthcare industry can be a double-edged sword. On the one hand, healthcare vendors have the privilege to participate in something that actually makes the world a better place - helping people lead healthier lives, and helping them get better when they're sick. On the other hand, the healthcare industry rightfully comes with a significant responsibility toward privacy, security, and governance. Vendors are saddled with filling in yet another 250-line Excel security questionnaire every time they want to be considered for a new project, and often have to execute multiple assessments for various regulatory frameworks as HIPAA, SOC 2, the NIST Cybersecurity Framework, and MARS-E, to name just a few.
In June, 2015, some of the biggest health insurance payers announced they would require all their vendors to be HITRUST Certified within two years. Suddenly, 7,500 companies had a new compliance framework they needed to implement and maintain, with external audits required on an ongoing basis. On the surface, this may have initially appeared to be a burden - additional bureaucracy on top of already having to comply with HIPAA and HITECH regulations. However, it quickly became clear that HITRUST Certification, with its Common Security Framework (CSF), effectively replaced a patchwork of one-off assessments, allowing simple mapping to a most existing regulatory frameworks.
In short, within two years, the entire healthcare industry became more compliant using a common and standard format. This equalized the field as well, allowing payers to compare their vendors using standardized measures. As a result, forward-thinking organizations such as Anthem, Health Care Services Corp., Highmark, Humana, and UnitedHealth Group drove lower risk and higher patient privacy with their HITRUST Certification requirement.
Recently, the healthcare provider industry made a similar announcement, effectively requiring HITRUST Certification to be a business associate as of September, 2018. Major providers such as Allegheny Health Network, Cleveland Clinic, Tufts Medical Center, and The Mayo Clinic, have banded together to form the Provider Third-Party Risk Management Initiative, with HITRUST CSF at its center.
The challenge of modern solutions
Developing technology solutions has become simpler with the advent of cloud computing, but more complex because solutions today tend to involve several companies' software-as-a-service solutions woven together. In developing a patient portal, for example, a provider may use Amazon Web Services (AWS) for their cloud hosting, Stripe for accepting payments, AppointmentPlus for scheduling, RevelHealth for patient communication, CloudFlare for content distribution, and so on. With modern healthcare technology applications composed of so many vendors, it becomes challenging to ensure that each vendor takes part in a shared responsibility model to ensure the overall solution covers all bases of risk.
HITRUST recently announced the Shared Responsibility Program, along with a working group to address these complexities. I am pleased to serve on this committee, along with my colleague, Thomas Zinn. Stay tuned for future information as the group's work progresses.
A modern approach to HITRUST Certification
In order to help the thousands of organizations that now need to become HITRUST Certified, Cloudticity recently announced a joint venture with HITRUST Assessor BEYOND LLC to provide an end-to-end path toward HITRUST Certification for business associates deploying solutions to AWS. By combining the Cloudticity Oxygen™ managed services platform with BEYOND's consulting and assessor services, healthcare payers, providers, and vendors have a prescriptive, accelerated journey to HITRUST Certification, resulting in lower cost, faster certification, and reduced ongoing governance requirements, as Cloudticity Oxygen maps to many of the HITRUST CSF technical controls.
HITRUST is clearly here to stay, ultimately resulting in improved patient privacy, lower risk, and simpler compliance with a variety of regulatory frameworks.