Why navigating cybersecurity certification will become more complex
In 2024, it will become more crucial for organizations to implement strategies that offer robust data protection and achieve compliance.
It’s no longer a question of whether a hospital, health system, clearinghouse, payer, ambulatory facility or physician practice will suffer a data breach or hacking incident — it’s a question of when.
That’s a sobering thought for healthcare executives and their cybersecurity teams. However, industry-accepted cybersecurity certifications and accreditations can go a long way toward assurance of having the right tools to prevent or lessen the severity of any breach or reducing federal penalties and other repercussions related to the incident.
Healthcare organizations of all sizes should consider obtaining relevant certifications to protect themselves, the companies they share information with, and the privacy of protected health information on the patients they serve.
“Our journey started in response to client demand,” says David Weber, privacy and compliance officer for Claim.MD, a medical clearinghouse. “Claim.MD has always met the requirements for HITRUST, so certification wasn’t a matter of changing our controls,” Weber says. “Rather, it was a matter of documenting our controls so we could prove to the industry they were sufficient to meet the standard.”
Weber and Mark McLaughlin, senior assessor at DirectTrust, suggest these five steps for organizations pursuing certification.
Understanding the risk
In the first eight months of 2023, 463 healthcare organizations suffered a breach involving more than 500 records, affecting more than 71.8 million patient records. The number of affected records has already eclipsed the full-year total of 2022, and in terms of number of records affected, it ranks second only to 2015, when a breach of two payers impacted nearly 90 million records.
An increase in the number of affected business associates (BAs) is particularly concerning. In 2022, BAs accounted for 18 percent of breaches. So far this year, that figure has risen to 30 percent of all breaches, pointing to the need for every organization that exchanges data with others to obtain recognized industry certifications.
Likewise, cyber insurance is increasingly hard to obtain, expensive and covers fewer incident types. Two-thirds of respondents to a recent survey of more than 300 U.S. organizations said their insurance rates had increased from 50 percent to 100 percent upon application or renewal. Further, organizations face a longer list of exclusions that could void coverage, including lack of security protocols, human error and failure to follow proper compliance procedures.
Starting small
Just as no one can run a marathon without intermediate runs to prepare for the main event, Claim.MD didn’t start out trying for HITRUST certification. It first set its sights on the Healthcare Network Accreditation Program (HNAP) for Electronic Health Networks (EHN) from the DirectTrust-governed EHNAC – that program is designed specifically for clearinghouses. That certification was received in August 2021 after a six-month process. Since then, Claim.MD has obtained CAQH Committee on Operating Rules for Information Exchange (CORE) Eligibility, Claim Status, and Payment and Remittance Certification Seals; SOC 2 Type 2 certification; DirectTrust HNAP EHN reaccreditation; TX-RAMP Level 2 certification; and HITRUST Risk-based, 2-Year (r2) Validated Assessment.
Certifications and accreditations build on one another, and elements used in one application can also be used in others. Accreditations and certifications obtained by business associates can alleviate the work an organization needs to do. For example, Claim.MD doesn’t have a data center, using Amazon Web Services (AWS), instead. AWS certifications help the clearinghouse meet certain security requirements, says David Weber, privacy and compliance officer for Claim.MD, whose full-time job is obtaining and keeping certifications.
Reading and following instructions carefully
While there is no single accepted method to secure a data network, accrediting bodies can be particular about policies and procedures that can vary among organizations. For example, HITRUST requires policies to be locked down for 60 days prior to inspection and 90 days for implemented controls, says Mark McLaughlin, senior assessor of DirectTrust. That enables the policies and controls to mature and become part of normal operating protocols.
Weber also found tools associated with various accreditations useful to track compliance. For example, HITRUST’s MyCSF tool can help a company keep track of the requirements, the evidence and the documentation for each step in the process.
Knowing when to ask for help
Especially for companies that are working toward industry certification for the first time, contracting with an organization experienced in the accreditation process can help with understanding the various requirements and the best way to meet each of them. DirectTrust offers consulting services and also performs accreditation audits and site visits, but McLaughlin stresses that the same people would not consult with a company and then perform any auditing functions.
Weber has extensive experience evaluating audit documentation from previous work at a large payer, so Claim.MD did not utilize services to help prepare for accreditation.
Seeing multiple paths to compliance
Healthcare organizations that handle or transmit protected health information look very different.
Consider a multi-state hospital system, a single nursing home, a clearinghouse and a facility that prints patient bills. The hospital system has multiple sites where data is stored or transmitted and likely thousands of data connections, while the printing facility may be a single location with electronic connections to each of its clients. That’s why accreditation and certification protocols don’t generally specify particular technology or approaches to keeping data safe.
The first step in the DirectTrust accreditation process is the self-assessment and the evidence to support each response, says McLaughlin, who served as Claim.MD’s DirectTrust site auditor. There are usually many questions about the responses that are emailed back and forth until the auditor is satisfied. The auditor also reviews locations where data is exchanged, for example — a data center, a scanning facility, lockbox location and others. Those facilities must also be secure, with policies in place and employee training to create what McLaughlin calls the “chain of trust” that’s required by HIPAA.
Before COVID-19, Q&A sessions and site visits were in person but those have now shifted online, with email questionnaires and client video walk-throughs and conference calls showing physical security.
Flexibility is part of the audit process, McLaughlin says, recognizing the differences between small and large organizations and how data can be handled correctly but in various ways. For example, Claim.MD employees all work remotely and access the software from dedicated Google workstations that have no other applications on them. Weber says that setup required a bit of explaining.
McLaughlin underscores the importance of obtaining relevant certifications or accreditations related to protecting patient data. “The alternative to certification is having the fox watch the hen house,” McLaughlin says. “But if you have this independent evaluation, you have a continued review and enhancement of the security controls that you’ve employed to deter attacks and threats on privileged information.”
David Weber is privacy and compliance officer for Claim.MD and Mark McLaughlin is senior assessor of DirectTrust.