As larger players in the healthcare industry like Anthem, Humana, and UnitedHealth Group begin to embrace the HITRUST Common Security Framework (CSF) in an attempt to manage the ever-evolving compliance landscape, the desire for HITRUST certification has increased exponentially. However, for many organizations the road to certification is a long one.
Below are some of the common challenges encountered along the way, and the necessary considerations you should take before embarking on your journey.
Choosing the right assessment
Choosing between a Self-Assessment and Validated Assessment is relatively straight forward. Self-Assessments are a more cost-effective option for your organization to assess their current compliance level. Validated Assessments by a third party is the rigorous option for your organization. However, it is the only path to achieving certification. There are two different types of certification, which is one source of confusion for many organizations. HITRUST Alliance allows you to be certified with either a Security Assessment (assessed against 64 controls) or Comprehensive Assessment (assessed against all 149 controls). The major difference between the two? Level of assurance. For many organizations using HITRUST to evidence HIPAA Security Rule compliance, the Security Assessment may be all you need.
Getting the right buy-in
Compliance is an organizational effort and a full-time job. All too often compliance is a shared effort across several departments that frequently results in finger-pointing and confusion during the assessment process. Is it Information Technology’s responsibility? Legal’s? Or is it Privacy’s? One of your first steps should be sitting down with key stakeholders to determine who is responsible for compliance in your organization. Next you should ensure that an appropriate budget and amount of resources are allocated to compliance efforts.
Finding balance between patient care and compliance
Healthcare is a unique industry where a trump card exists. The desire to help improve patient care frequently causes a ripple effect across the organization therefore security and other initiatives take a backseat because they are viewed as a road block to productivity. Examples of this include purchasing applications that don’t support audit functionality, or turning off security events to improve system performance. However, with the rise in data breaches, it has become not so much a question of how but when a breach will occur. That is why it is essential for every organization to make security and compliance a significant part of their culture.
Evaluating your high risk controls
The HITRUST framework includes over 20 standards including, but not limited to, HIPAA, NIST, PCI DSS, SOC 2, ISO 27001, and COBIT. This makes HITRUST highly comprehensive and prescriptive. As such, some of the controls included within the framework are very specific and may be applicable to standards that your organization has not previously considered. There may also be instances when the risk assigned to a control requirement by HITRUST misaligns with your organization’s own risk designation. It is important to appropriately evaluate the risk, impact, and cost effectiveness of implementing each control in order to achieve the overall maturity of 3 required in each domain for Certification.
Managing your policies and procedures
One of the most frequently missed pieces (and often times the cheapest to implement) is strong policy and procedural documentation management. Policies and procedures are typically the first thing requested to evidence the existence of a control. Robust documentation helps organizations avoid redundancy in effort, decrease knowledge loss, provide consistency, and establish process ownership. Even if you have everything else in place, missing policy and procedural documentation can be the difference between a Certified Assessment and a Validated Assessment.
For many business associates in the industry, the race is on to achieve certification by the looming 2017 deadline. While HITRUST certification can undoubtedly be challenging and costly to achieve, careful planning and evaluation of your organization’s current environment will help make the certification process as efficient as possible.
About JULIE YANG
Julie Yang is the HITRUST technical lead at Schellman. Prior to joining the company, Julie worked at a multinational professional services firm where she specialized in technology compliance and HITRUST assessments. Julie has provided services for private healthcare organizations and Fortune 500 companies throughout the course of her career.