HITRUST CSF Certification: Why it’s important and what it means for physician practices

August 20, 2020

How this certification ensures the highest levels of technology security.

Physicians are no strangers to technology vendors competing for their attention with promises of greater productivity and enhanced care delivery, but entrusting patient data to a third party can be risky and stressful. One simple way to ensure that a potential technology partner will apply the highest levels of end-to-end security is to look for the HITRUST CSF® certification.

In order to achieve this certification, organizations must undergo rigorous reviews to ensure their technology meets regulatory, compliance, and risk standards including HIPAA, ISO, NIST, PCI, and state laws. HITRUST rationalizes and unifies these regulations and standards into a single security and privacy framework. Companies that earn certifications undergo regular audits from an independent third party against that framework to ensure they comply with hundreds of controls―protecting against any potential and incoming threats, as well as ensuring the continuity of business operations in the event of a potential incident.

The HITRUST CSF certification process is difficult. Vendors must invest in building a comprehensive privacy and security program going well beyond any regulatory requirements―but this tremendous effort is worth it to assure physician customers that they can have a high level of confidence in the measures their business partners have taken to protect patient data.

Trending: Prepare for patients who refuse to wear a mask in your practice

HITRUST CSF Gives Assurance that Data Can Be Used Securely and at Large Scale

The COVID-19 pandemic forced many health systems to accelerate population health management initiatives. For example, some systems helped providers identify and conduct outreach to thousands of vulnerable patients who may have needed immediate information about COVID-19 as well as where to seek tests, treatment, or other services. The accelerated demand for population health capabilities created an overwhelming and immediate need to harness patient data from across the care continuum and make it actionable.

Many health systems will continue to implement these population health initiatives at an accelerated pace through COVID-19 and beyond. But when large amounts of data are exchanged, those sending and using the data rely on their partners’ controls to ensure security, compliance, privacy, and continuity of services. HITRUST-certified products have been audited to ensure that they can be implemented securely at scale.

HIPAA Compliance Isn’t the Same as a Security Program

In 1996, the US. Department of Health and Human Services issued a privacy rule as part of the Health Insurance Portability and Accountability Act (HIPAA). This rule gave healthcare consumers the right to protect their personal information and data as well as control who had access to it, and providers had to assure consumers that their data would remain secure and private.

Under current laws and regulations, healthcare companies and downstream entities are required to comply with HIPAA, which is an important regulation, but not nearly the same as having a robust and independently validated security program.

HIPAA compliance is a requirement to do business, and it covers a small subset of what is necessary to protect the security and privacy of healthcare data. A HITRUST CSF certification, however, is a voluntary assessment covering a comprehensive set of best practices and controls that provides assurance that an organizations’ systems are compliant, secure, and able to meet future threats to data protection.

Read More: Technology adds hope for mental health in the midst of national crises

Going Beyond a Certification to a “Culture of Security”

Achieving HITRUST CSF certification requires collaboration across all parts of an organization to build a security program that can withstand a rigorous review of hundreds of controls by independent, third-party auditors. This cannot be achieved without a “culture of security,” where each person, from the CEO to the newest recruit, understands his or her role in securing data and protecting against outside attacks and threats.

The process of building a security program results in an organizational culture where people are constantly thinking and talking about security―as well as taking individual actions to protect data. This behavior is especially important to providers in value-based contracts who manage large patient populations. When physicians are taking on clinical and financial risk for thousands of patients, they need to know that their initiatives to deliver higher-value, higher-quality care are based on secure and compliant data assets.

Many health IT companies are working to help providers deliver care more effectively and efficiently. Security should be a priority in any vendor selection process and knowing a vendor has earned HITRUST CSF certification provides an increased level of confidence that patient data management will be secure, private and compliant.

Learn more about the HITRUST Certification from Michael Parisi, Vice President of Assurance Strategy and Community Development at HITRUST Alliance

About the Author

Bob Dupuis is the Vice President of Enterprise Architecture and Security at healthcare data and software company Arcadia, a widely-recognized leader in population health management.