According to a new study conducted by researchers at Massachusetts General Hospital and published in the Journal of the American Medical Association, the number of annual health data breaches increased 70% over the past seven years. That same study noted that 75% of the 132 million breached, lost, or stolen records were a result of a ‘hacking or IT incident.’ There’s no question healthcare organizations are under siege by cyber criminals and significant improvements in information security are needed to keep up with their evolving attacks.
Staying ahead of cybercriminals is no easy task however so thankfully, there are resources available. In an attempt to support organizations make needed improvements, the Health Information Trust Alliance, HITRUST, an alliance of healthcare, technology and infosec leaders, first established a Common Security Framework (CSF) in 2007 for any organization that creates, stores, accesses or exchanges personal health information, PHI, to use. Unlike the government regulation HIPAA for example, which mandates PHI as a personal right, defines how PHI must be protected, and issues penalties for failure to do so via the Office of Civil Rights (OCR), HITRUST is a helpful framework that outlines an efficient approach to both risk management and regulatory compliance.
For more on the difference between government regulations and cybersecurity frameworks, check out my earlier post.
Many organizations think of HITRUST as a cybersecurity blueprint. It uses a comprehensive approach pooled from other frameworks, including NIST, CIS, COBIT and others, and it primarily relies on 13 control categories that can be lumped into 3 primary categories:
Since May, a slew of organizations have worked hard to achieve HITRUST’s newly launched certification which assists hospitals and health systems deploy, understand and report their effectiveness against the NIST CSF and also helps them view their efforts through the lens of HIPAA Privacy and Security Rules and other compliance regulations. Certifications and scorecards aren’t the single silver bullet to healthcare security of course, but it’s certainly a step in the right direction.
Is HITRUST certification for you? Possibly. You can read about the process here. For more on HITRUST, generally, check out my latest Cybersecurity Insights video below.
To stay up-to-date with the latest guidance for your healthcare organization’s cybersecurity disciplines, you can also subscribe to the YouTube channel.
Have you ever wonder about the HITRUST Cybersecurity Framework? Well, in today's episode, I'm going to satisfy your curiosity.
The Alliance is filled with industry vanguards from all sides: payers, providers, medical device firms, and other stakeholders.
They advocate for healthcare organizations and help spearhead policy, but have also published a crucial cybersecurity blue print. Which pools from others: CIS, COBIT, NIST, among others.
HITRUST is a greatest hits collector, distilling a framework from several great artists.
And it comes with 13 control categories that we can bundled into 3 chunks:
- User Security,
- Asset Security, and
- Data Security
When it comes to User Security
HITRUST provides policy guidance that spans the user’s lifecycle: from onboarding, provisioning, authorizing, authenticating, and deprovisioning users.
By controlling who, and in what circumstances, accesses PHI and other sensitive information, HITRUST gives a solid step toward cyber resilience.
Number 2: Asset Security
Looks similar to other frameworks. It starts with asset intelligence to validate resources and confirm their security posture. When controls, configurations, apps, and agents are calibrated for max security, you can say the device has good hygiene. Probably one of the best metaphors in our industry.
Good hygiene = AWWWW!
Bad hygiene = DANGER!
And finally, we come to Data Security
These controls include validating data integrity by looking at inputs and outputs and monitoring data protection to spot problems and mitigate risks.
You can see how this is neatly aligned with our previous discussion on HIPAA and PHI safeguards.
Throughout the security community, we are witnessing a tectonic shift back to the fundamentals. The HITRUST framework is one such example. By applying these controls, healthcare organizations can make the leap to stronger cyber resilience by focusing on the three areas: User security, Asset security, and Data security.
Follow the blue print, become resilient, win the game.
That’s it for today! And in future episodes, I’ll give you the rundown on more ways to improve cyber hygiene and stay strong in an uncertain world.