According to data compiled by the HIPAA Journal, the number of exposed healthcare records tripled from 2018 to 2019. With these numbers on the rise - take a look at some of the most recent breaches here - it is more important than ever to choose a trustworthy technology for your healthcare practice. While it's growing increasingly common to see vendors slap the HIPAA logo on their website and pat themselves on the back, some of us - like Trillian - have gone the extra mile and achieved HITRUST CSF certification.
"That's great," you're saying, "but why should I care?" We're so glad you asked! Let's dive into explaining the difference between HIPAA compliance and third-party certification standards like the HITRUST CSF!
HIPAA vs HITRUST. What’s the difference?
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law back in August of 1996. To oversimplify a bit, think of HIPAA as a set of rules, regulations, and best practices for everyone in the healthcare sphere from healthcare providers to the technology companies who work with them. As a technology provider, our primary concern is on the "accountability" portion of the act, which means we're responsible for the hows and whys surrounding protection of our customers' Protected Health Information (PHI).
Importantly, while there are fines aplenty for being caught violating HIPAA, there is actually no government-approved, formal way to achieve "HIPAA compliance"! This means that anyone claiming to be "HIPAA compliant" is, for the most part, asking you to just take their word for it. Businesses can pay for some training, implement some (or all) rules and regulations and then tick themselves off as HIPAA compliant. It's like marking your own exam papers: some companies will do this very diligently, and others... well, they’re at the back of the class with a note saying their dog ate their homework. 🤷♂️
Enter HITRUST and the HITRUST CSF. HITRUST is a privately held company that established the Common Security Framework, or HITRUST CSF, which exists as a third-party certification framework to be used by all organizations that create, access, store or exchange sensitive and/or regulated data. This means that authoritative professionals can assess vendors to ensure they are doing the right things according to the frameworks they're targeting, whether HIPAA, PCI, ISO, NIST, GDPR, etc.
HITRUST certifications can be expensive (typically in the 6 figures) so they represent a significant - but worthwhile! - investment. It's a way for a vendor to put some skin in the game and prove that they actually "take security seriously".
Benefits of choosing a HITRUST CSF certified vendor
When we started this process, we weren't sure what to expect. Surely we would blitz through certification, right? After all, with 20 years of experience under our belts building and running Trillian we already knew all about things like encrypting data in transit and at rest. And yet! There are many different things that come up during a formal certification process that not every vendor considers and that we think are worth highlighting. Here are ten things to consider asking when evaluating technology providers:
1. Do you make a best effort to run a "zero trust" network, meaning that the servers that power your product are considered hostile to one another and not given blanket API/admin access to each other?
2. Do you utilize centralized logging and auditing for the servers and services you run to help guard against intrusion and notice things that are otherwise difficult to notice?
4. Will you provide a HIPAA Business Associate Agreement (BAA) to your healthcare customers?
5. Who owns the master encryption keys that control your (hopefully implemented) at-rest encryption? How is access to them controlled and audited?
6. How is access to customer data through necessary service administration tools controlled? Can Bob from Marketing pull up sensitive customer data on his lunch break?
7. When considering data ownership and scope, are backups considered? When accounts are deleted, are they hard deleted or marked inactive? How long does account data live in backup form?
8. If you run a data center: who has physical access to it and under what conditions? If you're in the cloud: who has similarly-scoped administrative access?
9. Do you have a formalized disaster recovery plan in place in the event of data loss, natural disaster, or loss of key personnel?
10. When hard drives leave your data centers or virtual servers are spun down, do you have a formal data destruction plans in place?
How HITRUST CSF certification benefits our customers
Trillian offers secure and reliable business instant messaging that adheres to the strict regulatory requirements of healthcare. Patients deserve to know their data is in safe hands, and now more than ever, it is vital that your healthcare business remains secure, flexible and efficient. Choosing a HITRUST CSF certified vendor is a step in the right direction.