The Health Information Trust Alliance (HITRUST) is touting that an increasing number of health care organizations will require their business associates to obtain its CSF Certification within the next 24 months. The health care consortium developed the Common Security Framework (CSF) to address the multitude of security, privacy and regulatory challenges that health care organizations face, including compliance with HIPAA, HITECH, credit-card processing, and state rules and regulations.
Anthem, Health Care Services Corp. (HCSC), Highmark, Humana and UnitedHealth Group are among the health care organizations requiring the certification from their roughly 7,500 business associates.
The HIPAA Omnibus Rule now covers health care business associates, the downstream vendors and partners that deal with protected health information – and requires hospitals, physicians and other covered entities to ensure that those third parties remain diligent in their data security efforts. HIPAA sets penalties of up to $1.5 million per violation.
The HHS Office of Civil Rights, which enforces HIPAA compliance, will include business associates in its upcoming second round of compliance audits.
The CSF Assurance Program claims to be the only framework built to provide scalable security requirements based on the different risks and exposures of organizations in the health care industry, and to make security manageable by prioritizing one-third of the controls in the CSF as a starting point for organizations.
Standardized Controls and Vendor Security
The certification will provide outside assurance to covered entities, but also be a plus for vendor partners, according to Ray Biondo, chief information security officer at HCSC, the largest customer-owned health insurance company in the United States.
"I want to make sure as an industry we don’t all go out and try to get minimum security requirements from each of these vendors and do it separately because it drives up costs for all of us, it’s inconsistent and it’s getting the vendors themselves bent out of shape," he said. "Every time they try to sell their product or implement their solution to us or anybody else, they have to go through the same process over and over again. It’s very cumbersome."
Adding some standardization to the process as an industry "will guarantee me that you’re at least meeting a minimum level of maturity with these common controls to protect your organization from a security breach," he said. "These controls will not stop a hacker if they really want to get in, but if you can demonstrate you’re at least taking the necessary steps to increase your maturity level, our comfort level with doing business with you will greatly improve."
Without such standards, he said, his company has to audit them individually.
"We’re in an awkward position. A lot of the companies that give us these solutions are as open to attack as anybody else, so it’s not just health care, it’s even the security suppliers. As an industry, we have to rally together to protect ourselves. I think this is the fastest, most efficient way to move that forward," he said.
Even amid the growing prevalence of health care breaches, however, he said business associates are pushing back on making the certification mandatory.
Managing the security practices of business associates is a lot like herding cats. Add in a few offshore outsourcers who handle tasks such as medical transcription, coding and billing, and the scenario becomes even more complicated. Tennessee-based Cogent Healthcare learned that the hard way in 2013 when information was exposed on 32,000 patients when the firewall was down at an India-based transcription service.
Health IT and Cybersecurity
HITRUST is focused on improving cybersecurity in health care and did more than 10,000 CSF assessments in 2014. In addition, HITRUST has worked with the U.S. Department of Health and Human Services on cyber attack simulations called CyberRX and a cyber threat early warning system known as Cyber Threat XChange (CTX).
HITRUST CEO Daniel Nutkis said in an interview earlier this year with HealthITSecurity.com that a major issue in the industry is how varied health care organizations are in their security preparedness.
"We’ve got organizations that are relatively immature with regard to their controls and they’re still focusing on perimeter defenses, DLP and, in some cases, just end point security. Then we’ve got other organizations that are now looking at much more sophisticated things like privileged management. We’ve also got others in the middle that are looking at the access control and authentication," he said in the interview.
The CSF program has its detractors, however.
Gib Sorebo, chief cybersecurity technologist for security vendor Leidos, criticizes the framework approach as unwieldy, causing organizations to lose focus on their most important controls. He raises concern about the possibility of the CSF certification becoming mandatory – the state of Texas is using it – and worries that organizations will seek to use the certification as safe harbor in the event of a cybersecurity breach rather than focusing on breach prevention.
"The reality is that any cybersecurity framework, when used for compliance purposes, inevitably forces organizations into a checkbox mentality that discourages innovation, causes wasteful spending and increases cybersecurity risk," he writes.
Mac McMillan, CEO of health IT consultancy CynergisTek and current chair of the HIMSS Privacy and Security Policy Task Force, has long warned that health care organizations are too focused on regulatory compliance rather than effective security practices.
"There’s no reason you can’t address protecting PHI from a security perspective with compliance a byproduct of doing that," he said.
He sees the CSF program as just another framework, and one of the key issues is adoption.
"This HITRUST thing will help the industry only if the industry adopts it across the board. If some people use it and others don’t, you’re back where you started. If they’re all using it, are they all applying it in the same way? Are they applying it with the same basic level of understanding of what the control ought to be? Or is it still loosely open to interpretation?" he said.
"It’s not that you have a framework; it’s how you apply the framework. You can follow HITRUST, you can follow NIST or ISO, you can address every single requirement and do a poor job of it and still be just as insecure as you would be without doing it," he said, adding that several of the recent big breaches involved organizations that were CSF certified.
In a survey, Information Security Media found that 53 percent of health care organizations rely on the NIST framework as the basis of their information security programs, while 32 percent use a hybrid approach. Some 25 percent said they use HITRUST CSF and 25 percent use ITIL (Information Technology Infrastructure Library). Respondents could select more than one answer.
"One of the things we’ve been talking about at CHIME (College of Healthcare Information Management Executives) and its security group AEHIS (Association for Executives in Healthcare Information Security), is that what’s needed are a basic set of requirements for what’s acceptable in handling protected health information and connecting to systems that have protected health information," he said. "HIPAA doesn’t provide that, and even most of the standards, whether it’s CFS or NIST or ISO, don’t provide that. They provide guidance – a set of controls you should evaluate. But there’s nothing that says, 'The minimum you should do is XYZ.' And that’s what would probably be most helpful to the industry overall."
McMillan points to the encryption language in the HIPAA rule as an example of when OCR got it right. Yet, so far, encryption isn’t mandatory if you can make a case for why an alternate control would be more appropriate. After the cyberattack against Anthem, however, lawmakers said they plan to review whether HIPAA should make encryption mandatory.
Biondo maintains that the government has already laid out the minimum requirements through the NIST framework, though he concedes that they really are guidance.
"To pull that information into your organization and to map those requirements to controls that mean something to your organization, is very doable, but it’s not very easy. It’s actually quite expensive," he said. He initially was a naysayer to the CSF program, he said, thinking it would find a lot of gaps that would be expensive to fix. That wasn’t his organization’s experience, however, and he said he found the process relatively painless.
He praised the program for helping organizations prioritize the controls on which they need to focus.
"HITRUST has already done the mapping across multiple frameworks, not just NIST. It’s a broader framework, it’s a flexible framework. It allows you to develop your own custom controls and it will allow you to do that very quickly. Plus it’s constantly updated," he said.
Susan Hall has been a journalist for more than 20 years at news outlets including the the Seattle Post-Intelligencer, Dallas Times Herald and MSNBC.com. She writes for eeesDice.com and FierceHealthIT.