Understanding the Import of HITRUST Certification to Healthcare

March 08, 2023 - The healthcare industry faces a unique set of challenges around health data privacy and security.

Provider organizations, health plans, and other industry stakeholders rely heavily on third-party vendors and other business associates. What’s more, digital innovation and the need for constant data access also places a burden on security teams attempting to remain HIPAA compliant and safeguard sensitive data. Organizations of all sizes and makeup struggle to tackle these challenges, but with the right combination of strategy, personnel, and technology they become confident in their ability to rise to the challenge.

The HIPAA Privacy and Security rule lays out a list of compliance needs for providers, but reports have shown that nearly 25 percent of healthcare fails to meet those expectations. Besides, many providers often use HIPAA to check the boxes to ensure compliance, but it's been proven HIPAA is not enough to keep data secure.

In response, many healthcare organizations have turned to outside resources to find clarity when building an effective privacy and security program.

What is HITRUST?

Before the formation of HITRUST in 2007, confusion and misconception around varying standards and regulations were the norm. Many providers were looking for a single assessment that would create a more secure program by checking all of the boxes.

HITRUST is data protection standards and development certification organization designed to assist healthcare providers, business associates, and vendors in safeguarding sensitive data and managing IT risk. HITRUST can be used across all sectors and throughout the third-party supply chain.

Since its formation in 2007, 81 percent of US hospitals and health systems, and 83 percent of health plans leverage HITRUST. It’s the most widely adopted control framework in the healthcare sector, according to a 2018 HIMSS survey.

HITRUST’s founders sought to address common healthcare privacy and security challenges by driving consistency, prescriptiveness, and efficiency across the sector. To accomplish this, they developed a single, common security framework (CSF) able to map to multiple regulations, standards, and best practices that is prescriptive, scalable by organization size, able to be certified against, and frequently updated and maintained.

The framework brings together several frameworks and standards, including NIST and HIPAA, to create a central key mapping tool. HITRUST brings together compliance and security to protect data while maintaining compliance with regulations.

Currently, the framework is in its ninth release and was developed by a CSF Advisory Council led by members from the American Hospital Association, American Medical Association, America’s Health Insurance Plans, and other privacy and security leaders.

HITRUST is also the basis for the health and public sector implementation of the NIST cybersecurity framework. NIST has also identified HITRUST as an appropriate standard to safeguard the internet of things (IoT).

Viability of Cloud Faxing Under HITRUST CSF

As the most recent version of the HITRUST CSF notes, paper faxing is problematic for HIPAA compliance. Physical machines present avenues for unauthorized access to sensitive health information, such as the ability to view built-in message stores or transmit information to the incorrect recipient either deliberately or accidentally.

Cloud faxing technology, however, can achieve HITRUST certification and help covered entities and their business partners to maintain HIPAA compliance.

Transmission security: Encryption using Transport Layer Security (TLS) encryption over the deprecated Single Sockets Layer (SSL) maintains HIPAA-compliant transmission security for data in motion.

Data encryption: Alongside the use of TLS encryption protocols, certified cloud faxing technologies use Advanced Encryption Standard (AES) of at least 128-bit, though some products have exceeded that level by including 256-bit encryption for added protection for incoming faxes and data at rest.

Access control: Certified cloud faxing technologies require the use of unique IDs, administrative privileges, and AES encryption (as well as other protocols) to limit ePHI access to authorized personnel only.

Audit control: HIPAA technical safeguards stipulate that covered entities and business associates have in place technical policies and procedures to manage authorized access to individuals and software programs. Top-of-the-line cloud faxing solutions offer multiple levels of audit control (e.g., secure archiving, transmission tracking) that allow providers and other stakeholders to adhere to HIPAA.

Why HITRUST Matters

Healthcare providers need a resource to navigate the complex landscape as technology, federal and state laws, and regulations continue to evolve. It’s a daunting task for all healthcare organizations to not only remain compliant but also demonstrate that they are trustworthy data stewards.

HIPAA compliance comes with a baseline of requirements, including ensuring the confidentiality, integrity, and availability of data, while keeping data safe from all threats. However, it also contains numerous items for covered entities and business associates to consider: technical infrastructure, hardware capabilities, security measures, and even the probability of potential risks when selecting the right controls to implement.

The guidelines can prove complicated and challenging, but they also don’t ensure data will be completely protected, even if maintained. In leveraging HITRUST, organizations can find actionable ways to manage the security requirements of HIPAA, while eliminating inconsistencies and wasted resources.

The framework has more than 135 controls divided over 19 different domains, including endpoint protection, information protection program, configuration management, wireless protection, vulnerability management, network protection, access control, third-party security, business continuity and disaster recovery, and other key areas.

The clear, actionable guidelines can be tailored to an organization’s needs. Covered entities should use these guidelines as a benchmark against which they can measure and manage compliance while protecting data.

HITRUST also offers a third-party assessment that can verify an organization has met the certification requirements of the CSF, which allows healthcare providers to ensure they are using trusted vendors to reduce risk. The attestation provides credibility that an organization is compliant and secure.

Many organizations have leveraged HITRUST to save time and resources during audits as the consolidated controls view from the framework provides visibility into controls, which overlap with regulatory requirements. It allows organizations to attest that their controls program meets the combine requirements.

A risk assessment based on the CSF generates multiple reports that address a wide range of regulatory, legislative, or other best practices. HITRUST research has shown that organizations that pursue traditional HITRUST CSF certification rapidly improve their information security posture to meet and maintain security posture in 97 percent of organizations.

“Evidence suggests that the more mature an organization’s information protection program, specifically their information security controls which demonstrate proficiency of operation, management, and reporting, the more likely an organization will be to continue to operate those controls in a similar manner in the future,” the report authors wrote.

“Mature organizations are less likely to suffer a breach and, should a breach occur, the more likely these organizations will be able to contain it and minimize the impact,” they added. “This is because controls that have been implemented at a high level of maturity are simply less likely to fail than controls that are implemented poorly.”

Overall, organizations that achieve HITRUST CSF certification either maintain or improve their security posture through near real-time insight into their security and compliance risk posture. It also allows providers to prioritize remediation activities and corrective actions.

Given the prevalence of cyber threats, the risk posed by employees, and a lack of resources, HITRUST can allow organizations to make sense of the threat landscape and security options with a clear risk management program.

__________________________________________________________________________________________

About Consensus Cloud Solutions:

eFax Corporate® was one of the first major Cloud Fax providers to achieve HITRUST CSF® Certification. With eFax Corporate, faxes can be securely sent and received by email, from any desktop, tablet, smartphone or from within EHRs via APIs – helping organizations boost productivity, enhance regulatory compliance and eliminate on-site fax hardware.