If you own a healthcare practice or just working one, then you are very familiar with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA is a set of rules and best practices that healthcare organizations my maintain compliance with to secure patient data and avoid potentially massive fines. This system had worked very well since 1996 when it was established, but like all things has inherent flaws. The first flaw is that HIPAA is a compliance-based program, meaning it only requires the minimum best practices from healthcare organizations to maintain their compliance.
The minimum requirements may have been all you needed in 1996 when the most advanced hackers were seen in movies like “Hackers.” In 2020 the minimum required security will not do, especially in an industry that is targeted more than any other by cybercriminals. According to the Department of Health and Human Services’ Office for Civil Rights (OCR), in 2018, there were more than 13 million healthcare records exposed to potential cybercriminal activities. These statistics show the inherent flaws in the HIPAA program.
What do the Statistics Say?
The 13 million potential data breaches come with a hefty cost to the healthcare industry. In some cases, the cost is so high that many healthcare practices can’t continue to serve their patients and have to close up shop. According to the 2018 IBM “Cost of a Data Breach” report, the global average cost of a single data breach went up 6.4 percent from 2017 totaling a whopping $3.86 million. Which is no surprise when we look at how much they cost of each stolen record went up. An increase of 4.8 percent per record, bringing the total cost up to $148 per record.
What is HITRUST?
I’m sure now that you see these statistics, the warm and fuzzy feeling you felt with HIPAA compliance is starting to fade; this is where HITRUST comes into the picture. The Health Information Trust Alliance Certification (HITRUST CSF) is a framework that unifies many other security and compliance frameworks to create one all-encompassing system. The frameworks and standards included are HIPAA, PCI, ISO, and NIST. By bringing these frameworks and standards together, HITRUST and creates controls to ensure that data remains secure throughout any process that may make them vulnerable. This system is an attempt to help vendors better prove their security and to help HIPAA covered entities streamline security and compliance reviews.
Certification Over Compliance
So you might say, “What’s the difference? They sound very similar.” The difference being one is a compliance program (HIPAA), while the other is a certification (HITRUST). Compliance meaning you only have to adhere to the bare minimum protocols to keep data safe while the certification requires that the practice adheres to a comprehensive framework of the top security and regulatory standards of the state and federal governments. Going above and beyond any HIPAA compliance requirements.
This certification is gaining traction in an industry that seems to become more porous each year. Plan to see more about HITRUST in the coming years, and with all the discussion about Google and “Project Nightingale” I wouldn’t be surprised if these frameworks are added into HIPAA compliance.