Healthcare organizations spend, on average, between four and seven percent of their IT budgets on cybersecurity. However, as security teams strive to spend their resources on products and services that protect patient data while delivering a meaningful return on their investment, they face a critical question: which cybersecurity and compliance assessments are the best use of their resources?
Because the industry includes a number of diverse organizations – from hospital networks and payors to biopharmaceutical manufacturers and SaaS platforms – there is no “one size fits all” approach to healthcare security compliance. Each organization will need to consider:
- The type of product(s) or service(s) they deliver
- The type(s) of information they manage (both health-related and non-health related)
- Their target customers and their corresponding expectations
- Their obligations under various privacy and security laws
They must also consider how much time – and how many resources – they can commit to the process. Every assessment requires an internal commitment, but some are more resource-intensive than others.
Healthcare Security Assessments as a Cost of Doing Business
In some cases, an organization’s business model will dictate the type(s) of audits they need to complete. Anthem, Humana, and UnitedHealth Group, for instance, require their business associates to be HITRUST®-certified. Any vendor that plans to contract with these payors must maintain an active HITRUST certification. Similarly, the major credit card brands require organizations that collect, store, or transmit payment card information to be PCI-compliant. Organizations that process a specific volume of transactions may need to obtain a Report on Compliance (ROC).
When an organization does not have to meet specific requirements as a condition of doing business, they may have more flexibility with their healthcare security compliance program. In these cases, they will need to consider their customers’ current (and future) requirements, the competitive landscape in their industry, and their long-term strategy to choose the right assessment.
Choosing a Healthcare Cybersecurity Assessment
HITRUST® CSF Certification
The HITRUST CSF was originally developed to consolidate several privacy and security frameworks (including HIPAA, HITECH, NIST, and GDPR) for the healthcare industry. It has since expanded to meet the needs of other industries, but its widespread adoption among hospitals, private practices, and third-party health insurance administrators have made it one of the “gold standards” for healthcare cybersecurity.
HITRUST offers several assessment options, including Readiness Assessments and Validated Assessments. For a Readiness Assessment, organizations score their maturity levels across 19 domains, such as network protection, password management, and access control. They submit their self-assessments to HITRUST, who issues a Readiness Assessment report. However, this option does not result in a formal certification. It is most often used as a “springboard” to a full Validated Assessment.
For a full Validated Assessment, organizations must have their assessments validated by an External Assessor licensed by HITRUST. This involves additional testing to confirm that each domain has been scored appropriately. Once the External Assessor has completed their work, they will submit their results to HITRUST for review.
If requirements are met, HITRUST issues a certification that is valid for 24 months. (To maintain certification, organizations must complete an interim assessment at the 12-month mark). Certification carries significant status in the healthcare industry; certified organizations can assure their customers that they have met rigorous requirements for privacy, security, and risk management.
A HITRUST assessment may be right for you if:
- You serve large healthcare organizations that require their vendors to be HITRUST-certified
- You need a streamlined way to meet the requirements of multiple frameworks and/or audiences (both medical and non-medical)
Download our guide: Preparing for a HITRUST CSF Assessment and learn more about HITRUST readiness assessments; choosing a HITRUST MyCSF subscription; and collecting and submitting evidence in a HITRUST Validated Assessment.
HIPAA Security Compliance Assessments
HIPAA compliance is mandatory for healthcare providers, health plans, and clearinghouses (Covered Entities), as well as their Business Associates. Health information technology vendors (including telemedicine solution providers and other SaaS providers); hosting providers; third-party administrators; and other third-party service providers must be able to prove that their products and services are HIPAA-compliant and capable of securing Protected Health Information (PHI).
There is no formal certification process for HIPAA, which can make it challenging for an organization to provide reliable validation of their privacy and security practices. However, a third-party HIPAA security compliance assessment is one option. An independent assessor evaluates the organization’s controls through the lens of the law’s requirements, documenting the organization’s controls in a written report that can be shared with customers and regulatory bodies. This offers a higher level of assurance regarding the organization’s HIPAA compliance and privacy program, as compared to an organization that only vouches for their own internal efforts.
A HIPAA security compliance assessment may be right for you if:
- You are a covered entity or business associate
- You need to demonstrate your commitment to healthcare security compliance, but do not have the resources for a more intensive HITRUST certification
- You need to better understand the risks and gaps in your current program as it relates to the handling of PHI
Download our guide: Preparing for a HIPAA Security Compliance Assessment and learn more about collecting and submitting evidence; organizing subject matter interviews; and creating a timeline for deliverables.
MARS-E Compliance Assessments
MARS-E (Minimal Acceptable Risk Standards for Exchanges) is another healthcare security compliance assessment, designed specifically for ACA administering entities. It is based on the information security standards outlined in the National Institutes of Standards and Technology (NIST) Special Publication 800-53.
As with HIPAA, there is no formal MARS-E certification program. However, third-party assessors with a detailed understanding of the MARS-E framework can evaluate an organization’s efforts and document your controls in a report that provides an additional level of independent assurance.
A MARS-E compliance assessment may be right for you if:
- You are an ACA administering entity, such as a federal or state marketplace or exchange; a state Medicaid agency; or a state agency that administers the Basic Health program or Children’s Health Insurance Program
- You are a third-party vendor that provides (or plans to provide) products or services to any of the above organizations
System and Organizational Controls (SOC®) Examinations
SOC® examinations help service organizations communicate their internal controls to customers and stakeholders. While SOC examinations are not exclusive to the healthcare industry or the handling of PHI, they offer a standard reporting framework that covers an organization’s policies and procedures.
With several types of SOC reports to choose from, organizations can tailor their examination to their specific needs. Learn more about SOC 1, SOC 2, SOC 3, SOC for Cybersecurity, and SOC for Supply Chain.
A SOC examination may be right for you if:
- You are a service organization, such as a data center, SaaS provider, or third-party billing provider
- Your customers often request information about (and/or third-party reports on) your controls
- You need an easier way to respond to security questionnaires and audit requests
PCI DSS Compliance Assessment
PCI DSS compliance is mandatory for organizations that store, transmit, or process cardholders’ personally identifiable information. (This includes names, account numbers, credit card security codes, and expiration dates.) PCI certifications are valid for one year from their issue date.
A PCI DSS assessment may be right for you if:
- You provide payment processing services to hospitals, private practices, payors, or other healthcare organizations.
- You are a merchant that processes transactions in high volume.
Cybersecurity Risk Assessments
Risk assessments can complement any healthcare IT audit. While audits focus on the design or effectiveness of an organization’s controls, risk assessments help identify new threats. The results of a risk assessment can influence the development and implementation of new controls.
Integrating Multiple Healthcare Cybersecurity Assessments
To meet complex security compliance requirements, healthcare organizations often complete more than one assessment. However, it can be costly – and time-consuming – to complete several initiatives at different times, and with different auditors.
One way to make compliance less complicated: completing several audits as part of a single, integrated engagement. Working with one auditor, organizations can choose the assessments that best meet their needs, then create a consolidated plan to complete them at the same time. They can work on a single document request list; host the same team for fieldwork; and develop a custom project plan that keeps every engagement on track, making the process faster and more cost-effective.
At 360 Advanced, we can help you navigate the complex world of cybersecurity and compliance. Offering a wide range of privacy and security audit services, we can guide you in determining which efforts will be the most appropriate use of your time and resources. From there, we can help you complete each effort as part of a single, streamlined initiative.