- In an effort to help healthcare organizations cut down on certain health data security and privacy redundancies, two accreditation and certification organizations recently decided to work together on reducing costs and streamlining the processes for the healthcare industry.
Last month, the Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced that they were collaborating to streamline their accreditation and certification programs.
EHNAC has been working as an accreditation organization for over 20 years, and has 18 different accreditation programs, EHNAC Executive Director Lee Barrett told HealthITSecurity.com. EHNAC has been focused on risk mitigation, and working to help organizations reduce the risk of a breach incident, cyberattack, or ransomware attack.
“We had heard from a lot of organizations that as they go through different types of certification, such as EHNAC, HITRUST, and others, that the internal cost for them to go through the various certifications and accreditations is very significant,” he explained. “The organizations say that in many cases they have to answer similar types of questions, responses, or self-assessments.”
EHNAC also heard that organizations would have to spend lots of time on the certifications and accreditations, which were often quite redundant with one another. There was often the same type of information in one program to the next.
“We started working with HITRUST and having discussions with them as far as the collaboration over a year ago,” Barret stated. “EHNAC’s accreditation looks at not only privacy and security, but we go beyond that into a review of the technical and operational aspects of a platform and infrastructure. We look at best practices and we look at the resources that the organization has to support their product or service. We have a lot of stakeholder specific criteria that we've also developed in our programs.”
There was a significant amount of overlap with the privacy and security component in the EHNAC accreditation and the HITRUST Common Security Framework, Barret said. A lot of organizations were also going through both HITRUST certification and EHNAC accreditation.
“If you take a clearinghouse, for example, if they go through HITRUST certification, all their privacy and security components will now go over into their EHNAC accreditation,” he explained. “Those privacy and security components, they will not have to do again for their EHNAC accreditation.”
Instead, organizations will be doing their self-assessment and the EHNAC audit process. Just the stakeholder specific criteria will need to still be done, he said.
“It’ll save organizations a significant amount of internal cost, time, and effort that they’re currently going through today by this collaboration,” Barret noted.
HITRUST CEO Dan Nutkis agreed, and said that HITRUST had also been hearing similar feedback from industry organizations, such as hospitals and health plans.
“We had been hearing that we needed to be cognizant of the impact of the changes and additional requirements had on them,” Nutkis said. “Additionally, we needed to understand how competing, inconsistent requirements, or duplicative requirements had on them,” Nutkis said.
As standard setting, accreditation and certification programs, they had not been doing a good job collaborating amongst themselves, he added.
“We were asking industry members to collaborate, we were asking them to do things that we weren’t doing ourselves,” Nutkis explained. “That led to some discussions between EHNAC and HITRUST where we agreed that it was our responsibility, and we should take some leadership here to streamline the process for industry.”
HITRUST looked to where its own core competencies were, and where EHNAC’s were, Nutkis continued. They wanted to see where they were driving the requirements, and suggested that there should be one set of requirements for organizations, instead of a separate HITRUST and EHNAC requirement.
“The industry really wins and the onus and burden was on the accreditation and certification organizations to make that happen, not the industry,” Nutkis said. “It became basically transparent for them.”
It is also important to note that if an organization already has an EHNAC accreditation, this collaboration with HTIRUST will not change that.
“If somebody says, ‘I’m already EHNAC accredited for your healthcare network accreditation program. We want to add HITRUST certification,’” Barret said. “The good news is, that organization will be able to take all of the security and privacy components in their accreditation, and it will go over to their HITRUST certification.”
The additional audit components of that, going out and reviewing organizations’ various entities, will still need to be completed, added Barrett. However, a significant amount of redundancies will be eliminated for organizations that are either accredited or those that are HITRUST certified and now want to be EHNAC accredited.
How the collaboration affects overall compliance measures
In terms of how healthcare organizations are approaching their compliance measures, Barrett said that this becomes another significant piece as far as the risk mitigation and compliance strategies that are already in place.
Organizations are under a lot more scrutiny to ensure they have third party reviews and controls in place. All controls, policies, procedures, and risk plans should be regularly reviewed, he said.
“This adds another layer to organizations as part of their risk mitigation strategy,” he said. “In so many cases we’re finding that the board of directors, the audit committees, a lot of these organizations are actually requiring third party reviews of their penetration testing, their intrusion detection, and testing that they’re doing.”
Nutkis added that in the future, HITRUST and EHNAC hope similar approaches and collaborations will take place.
“What we envision happening is EHNAC and HITRUST will then work with other organization in the industry, other standards organizations, to make sure that we are coordinated,” he said, using the Joint Commission on Accreditation of Healthcare (JCAHO) as an example.
Creating stronger overall data breach prevention measures
A key area right now is organizations looking to establish stakeholder trust, Barrett explained. Whether an entity is exchanging data with another organization, or has their workflow tied in another way, that stakeholder trust is essential.
The number of breaches and cyber attacks is increasing, and Barrett maintained that it does not matter whether you’re a large organization like Anthem or Premera, or a smaller provider. The larger covered entities have had a lot of press, but smaller facilities, are also at a risk for a breach or other cyber incident.
“All of these entities are exchanging data or are part of exchanging data with clearinghouses or health plans,” he said. “They could be part of an HIE, an accountable care network, etc. The amount of data – especially after you add in the EHR exchange of data and the portability issues – with all this data being exchanged, organizations have far greater opportunity for risk of a breach, an incident, or a cyber attack.”
More healthcare organizations are becoming concerned with the escalation of cyber threats and ensuring that they have the necessary cyber defenses in place, Nutkis said.
“We’ve also seen organizations recognizing that breaches are in fact inevitable, so they’re appropriately focusing more on resilience, and being able to respond and recover,” he stated. “We see organizations certainly working on their security controls, but also working on their response, detection, and recovery aspects as well, which is all part of a good security program.”
Medical records are also worth much more than just credit card information on the black market, Barrett added.
“People keep asking me, ‘Are we going to be able to eliminate cyber attacks?’ The answer is no,” he stressed. “It’s worth a lot of money to cyber attackers. If they can get a couple thousand records at a time by hacking into a provider network that may not have the level of firewall or controls in place, they’re going to do it.”
It’s simply not the case that small organizations are exempt because they won’t be of interest to cyber criminals, Barrett said.
“We’re trying on an ongoing basis to educate the market that whether you’re a small provider, a small medical biller, or you’re a large entity, no one is immune to one of these attacks,” Barrett said. “Organizations need to take it seriously. It needs to be geared toward the size of the organization, but they need to really put in the time, the effort, the controls, the policies and procedures. They also need to have some type of business continuity plan in place in the event that they do have a breach.”