Healthcare Technology Featured Article

July 11, 2019

HITRUST: Why It Matters

Healthcare organizations are the second largest business sector in the U.S. and are cyber attacked at twice the rate of any other public- or private-sector. According to incident data compiled by the HIPAA Journal, “between 2009 and 2018, there have been 2,546 healthcare data breaches involving more than 500 records. Those breaches have resulted in the theft/exposure of 189,945,874 healthcare records. That equates to more than 59 percent of the population of the United States.” Healthcare data breaches, the publication found, “are now being reported at a rate of more than one per day.”

The scope of data breaches

On June 3, 2019, Quest Diagnostics, one of the biggest blood testing providers in the country, warned that nearly 12 million of its customers may have had personal, financial and medical information breached due to an issue with one of its vendors. In a filing with securities regulators, Quest said it was notified that between Aug. 1, 2018, and March 30, 2019, that someone had unauthorized access to the systems of AMCA, a billing collections vendor. Quest said it was told that as of May 31, information on roughly 11.9 million of its patients was stored on the affected AMCA system. 

In 2015, malware was the weapon-of-choice in the most significant PHI breach to date when Indiana-based Anthem—the healthcare insurance provider for giants Blue Cross, Blue Shield and nine other large care providers—suffered a data hack that jeopardized non-medical information on 78.8 million individuals. The breach, which occurred over a period of weeks, made headlines across the country and was thought to have been caused by the use of what the New York Times later said was “a sophisticated malicious software program that gave them access to the login credentials of an Anthem employee.”

The massive hack didn’t fall under either the mandates of the Health Insurance Portability and Accountability Act or the Health Information Technology for Economic and Clinical Health Act because no medical information was compromised. Unbelievably, the hack was relatively easy to accomplish because Anthem simply had failed to encrypt its data, either at the full disk or file levels. In other words, Anthem failed to put a deadbolt on its file cabinet or further secure it with coded access.

Over the past three years, Georgia-based Augusta University Health successfully deflected a pair of cyberattacks but fell victim to a trio of successful phishing assaults in 2016, 2017 and 2018 that gave the hackers the ability to solicit usernames and passwords to gain access into internal email accounts. The last attack, in August 2018, compromised the data on 417,000 patients of Augusta University Health, including the Augusta University Medical Center, the Children’s Hospital of Georgia, as well as more than 80 outpatient clinics around the state.

The inception of HITRUST (Health Information Trust Alliance)

Addressing the multitude of security, privacy and regulatory challenges being faced on an almost daily basis by healthcare organizations, HITRUST – the Health Information Trust Alliance – was created in 2007 by a consortium of healthcare and IT professionals to guard against such data breaches and provide an efficient, prescriptive, and readily applicable framework for managing the security requirements inherent in the HIPAA (the Health Insurance Portability and Accountability Act of 1996), which provides for data privacy and security provisions to safeguard sensitive medical information.

HITRUST is managed by the healthcare representatives that form the Health Information Trust Alliance and its value is significantly growing as cyberattacks aimed at illegally procuring sensitive medical and personal data continue to rise at an alarming rate. Risk- and compliance-based, HITRUST has developed the Common Security Framework (CSF), which acts multi-dimensionally by incorporating globally recognized data security standards such as ISO2701, PCI DSS and COBIT to reduce the risk of non-compliance; evolving security strategies in accordance with changes in both the healthcare industry and the regulatory environment; and presenting healthcare organizations the ability to tailor their own data security control baselines and vendor management programs to address the unique needs of their specific organization type, size, systems, and multiple compliance requirements.

 Harsha Gummadavelli 

HITRUST certification vs HIPAA

HITRUST and HIPAA are not interchangeable. While HITRUST includes similar guidelines like HIPAA, it includes more than that. HIPAA on the other hand is a set of standards and regulations that are meant to protect sensitive information in healthcare industry, like patient information. However, it does not offer beyond the guidelines. The increased healthcare cybersecurity threats make it harder to keep up without help. HITRUST is the framework that allows medical practices integrate different guidelines and standards from various regulatory entities. With HITRUST certification, healthcare facilities can expand their data and patient security coverage.

Implementing HITRUST

Healthcare organizations seeking the security that HITRUST affords should first conduct a thorough self-assessment to determine the complexity of their data acquisition and maintenance, their efficiencies and weaknesses, and the capabilities of their technical infrastructure, hardware, and software capabilities, the effectiveness of existing security measures, the probability of risk to their database, and the capabilities of staff to implement and monitor new defense technologies.

Once an in-depth internal evaluation is completed, the services of a professional CSF accredited assessors that are approved by HITRUST should be under taken to perform authorized certification assessments.

According to HealthCare Weekly, HITRUST certification is critical “because it rationalizes the diverse set of regulations and standards into a single overarching security framework. This allows organizations to tailor their security controls to their own specific business sector and regulations.”

The hierarchy of the CSF framework is constructed similarly to that of ISO 27001/27001. It consists of 14 control categories that contain 46 control objectives. These categories map to 149 system controls. Within each of the 149 controls, there are up to 3 implementation levels must be met for each risk factor, such as regulations and management. In total, there are 845 requirement rules every company creating software for the healthcare/ pharma industry must follow.

Trust with HITRUST

HITRUST certified medical organizations and facilities have the peace of mind that they have efficient data security processes and reduced the threat of data breaches. Although this certification is not a pre-requisite to operate such healthcare practice, it’s the simplest and most complete way to ensure that your facility is on par with the latest security and regulatory compliance laws. Gaining trust is pivotal in any industry, healthcare is certainly not an exception. HITRUST certification helps healthcare facilities gain trust from their important customers, the patients. They will know that their private data and health information is safe.

About the Author: Harsha Gummadavelli is a Senior Architect at a leading cloud data management company, specializing in implementing data protection software for organizations across the globe. He has worked with a number of Fortune 500 companies and has garnered vast experience specifically working with healthcare clients to enhance their data protection programs. He can be reached at [email protected].

Edited by Maurice Nagle
Get stories like this delivered straight to your inbox. [Free eNews Subscription]
By Special Guest
Harsha Gummadavelli, Senior Architect ,


FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]