Data breaches are cropping up more frequently in the healthcare industry – an unsettling upward trend. For example, in 2016, Newkirk Products experienced a breach in which an unknown hacker accessed information on nearly 3.3 million patients. The vulnerability was introduced by third-party software. Third-party vulnerabilities are just one of the many areas HITRUST hopes to strengthen in healthcare organizations’ resilience.
Healthcare industry data breaches like these are not likely to subside in the near future. The IBM-sponsored Ponemon Institute “2017 Cost of Data Breach Study” estimated that the average global cost of a data breach is $141 per record. But for healthcare organizations, that average cost is much higher: $380 per record.
What can healthcare organizations do to minimize the impact of data breaches? First and foremost, they must implement appropriate information security controls. Currently, healthcare organizations face several information security challenges, including:
Clearly, information security is a complex process, and healthcare organizations have unique needs. The HITRUST CSF® – a security framework developed by HITRUST, in collaboration with information security experts – is a solution for healthcare organizations that want to implement a control framework. The HITRUST CSF® offers the following benefits:
While HITRUST may be an unfamiliar name, the framework is not completely new. The HITRUST CSF® in part combines many tried and tested cybersecurity frameworks to create a “best of all worlds” framework specifically for healthcare. The framework includes controls and concepts from ISO/IEC 27001:2005 and has evolved to include:
It is not recommended to jump directly into a validated assessment but rather to address the HITRUST CSF® assessment as a six-month to one-year process. The first step toward validation is for the organization to perform a self-assessment. The self-assessment can give the organization an idea of how close it is to certification during a validated assessment. The next step is remediation. Remediation can be performed within an organization, or with the help of an experienced and Approved HITRUST CSF® Assessor. Once remediation has taken place, an organization is ready for the validated assessment.
An organization must choose an Approved HITRUST CSF® Assessor firm, and then the validated assessment must be completed in 90 days. There are different paths on how the self-assessment and validated assessment processes work.
The HITRUST CSF® is built on tried and true frameworks that have been in use in the technology field for years. The HITRUST CSF® is the most comprehensive security framework for healthcare, and it is a message to clients and business partners that you’re serious about cybersecurity.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2018 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal
As of Oct. 30, 2017, the professionals of Rowbotham International have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on domestic and international tax and audit compliance services, as well as advisory services.
The personnel of Tru8 Solutions LLC have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides Tru8 clients access to a broad range of products, services, and solutions, while deepening the Crowe GRC technology expertise to manage risk by better leveraging data and gaining more predictive insight.