The Health Information Trust Alliance (HITRUST) is touting that an increasing number of health care organizations will require their business associates to obtain its CSF Certification within the next 24 months. The health care consortium developed the Common Security Framework (CSF) to address the multitude of security, privacy and regulatory challenges that health care organizations face, including compliance with HIPAA, HITECH, credit-card processing, and state rules and regulations.

Anthem, Health Care Services Corp. (HCSC), Highmark, Humana and UnitedHealth Group are among the health care organizations requiring the certification from their roughly 7,500 business associates.

The HIPAA Omnibus Rule now covers health care business associates, the downstream vendors and partners that deal with protected health information – and requires hospitals, physicians and other covered entities to ensure that those third parties remain diligent in their data security efforts. HIPAA sets penalties of up to $1.5 million per violation.

The HHS Office of Civil Rights, which enforces HIPAA compliance, will include business associates in its upcoming second round of compliance audits.

The CSF Assurance Program claims to be the only framework built to provide scalable security requirements based on the different risks and exposures of organizations in the health care industry, and to make security manageable by prioritizing one-third of the controls in the CSF as a starting point for organizations.

Standardized Controls and Vendor Security

The certification will provide outside assurance to covered entities, but also be a plus for vendor partners, according to Ray Biondo, chief information security officer at HCSC, the largest customer-owned health insurance company in the United States.

"I want to make sure as an industry we don’t all go out and try to get minimum security requirements from each of these vendors and do it separately because it drives up costs for all of us, it’s inconsistent and it’s getting the vendors themselves bent out of shape," he said. "Every time they try to sell their product or implement their solution to us or anybody else, they have to go through the same process over and over again. It’s very cumbersome."

Adding some standardization to the process as an industry "will guarantee me that you’re at least meeting a minimum level of maturity with these common controls to protect your organization from a security breach," he said. "These controls will not stop a hacker if they really want to get in, but if you can demonstrate you’re at least taking the necessary steps to increase your maturity level, our comfort level with doing business with you will greatly improve."

Without such standards, he said, his company has to audit them individually.

"We’re in an awkward position. A lot of the companies that give us these solutions are as open to attack as anybody else, so it’s not just health care, it’s even the security suppliers. As an industry, we have to rally together to protect ourselves. I think this is the fastest, most efficient way to move that forward," he said.

Even amid the growing prevalence of health care breaches, however, he said business associates are pushing back on making the certification mandatory.

Managing the security practices of business associates is a lot like herding cats. Add in a few offshore outsourcers who handle tasks such as medical transcription, coding and billing, and the scenario becomes even more complicated. Tennessee-based Cogent Healthcare learned that the hard way in 2013 when information was exposed on 32,000 patients when the firewall was down at an India-based transcription service.

Health IT and Cybersecurity

HITRUST is focused on improving cybersecurity in health care and did more than 10,000 CSF assessments in 2014. In addition, HITRUST has worked with the U.S. Department of Health and Human Services on cyber attack simulations called CyberRX and a cyber threat early warning system known as Cyber Threat XChange (CTX).

HITRUST CEO Daniel Nutkis said in an interview earlier this year with that a major issue in the industry is how varied health care organizations are in their security preparedness.

"We’ve got organizations that are relatively immature with regard to their controls and they’re still focusing on perimeter defenses, DLP and, in some cases, just end point security. Then we’ve got other organizations that are now looking at much more sophisticated things like privileged management. We’ve also got others in the middle that are looking at the access control and authentication," he said in the interview.

The CSF program has its detractors, however.

CSF Shortcomings

Gib Sorebo, chief cybersecurity technologist for security vendor Leidos, criticizes the framework approach as unwieldy, causing organizations to lose focus on their most important controls. He raises concern about the possibility of the CSF certification becoming mandatory – the state of Texas is using it – and worries that organizations will seek to use the certification as safe harbor in the event of a cybersecurity breach rather than focusing on breach prevention.

"The reality is that any cybersecurity framework, when used for compliance purposes, inevitably forces organizations into a checkbox mentality that discourages innovation, causes wasteful spending and increases cybersecurity risk," he writes.