With all of the demands of protecting healthcare information, two-thirds of survey respondents said they are not prepared to comply with HITRUST standards governing cyber security and steps to keep patient records and medical information secure. According to a survey of 604 healthcare industry professionals targeting vendors conducted by KPMG, half of those surveyed were “not ready” and 17.4 percent were in planning stages for a HITRUST (the Health Information Trust Alliance) CSF assessment – an internal control-based approach that allows organizations to proactively assess and demonstrate the measures they have taken to protect healthcare information.
There is no legal requirement mandating that organizations comply with HITRUST standard or SOC 2 – a separate data protection standard set by the AICPA. However, hackers and the high value placed on healthcare information have any organization that gathers patient records, medical billing or other protected healthcare information deeply concerned about its protection. An increasing number of organizations want their partners and vendors to have HITRUST or SOC 2 verifications that healthcare information security standards are being met.
Regarding the progress that organizations have made to address HITRUST CSF requirements, only 7 percent said they are completely ready and 8 percent described their organization as “well along implementation.” The remainder (17.4 percent) were in early stages of implementation.
When asked about staffing capabilities to meet this standard, 47 percent responded that they did not have the “right staff with the right level of skills to execute against the HITRUST CSF.” The survey found 53 percent did. Respondents found that staffing (15 percent) was the biggest barrier to HITRUST CSF readiness, finishing ahead of cultural, technological, and financial concerns. More than a quarter (27 percent) pointed to all of those factors and 23 percent said “none of the above” were barriers.
“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI (protected health information) to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers,” said Emily Frolick, third-party risk and assurance leader for KPMG’s Healthcare practice in a statement. “These vendors are able to accomplish this through a SOC 2® + HITRUST CSF examination or a HITRUST CSF Certification, both of which enable vendors to communicate their good faith effort to protect patient information.”
“Neither is mandatory under current law, but the marketplace wants to reduce risks tied to cybersecurity with third-party assurances concerning their data protection efforts,” Frolick added.