Healthcare companies continue to implement value-based care and population health management initiatives to coordinate healthcare delivery and improve the quality and value of patient care. These initiatives depend on the ability to access, aggregate, and analyze massive amounts of patient data, often coming from hundreds of source systems. Critical system interoperability and data-sharing agreements enable healthcare organizations to aggregate data and build massive data assets to support their programs and workflows to push insights where they are needed.
These interoperability frameworks and data-sharing agreements allow healthcare organizations to quickly exchange large amounts of data―but how does one business entity know that they can entrust their data to another business entity at the highest level of security and privacy?
HIPAA Journal found that between 2009 and 2019 more than 3,000 healthcare data breaches resulted in the loss, theft, exposure, and impermissible disclosure of more than 230 million healthcare records. Nearly 70% of the U.S. population has been affected. In 2019, data breaches occurred at a rate of 1.4 per day―and this number is climbing.
Why are health care records such a target?
According to security experts, the value of a medical record is not only the clinical information it contains, but also the way in which sensitive personal information can enable a bad actor to unlock financial information. Just imagine this phone call:
“Mr. Dupuis, I’m calling from Bay State Primary Care about your recent visit for your back injury. You have a small balance on your account. Would you like to take care of that over the phone? You would? Great, I can take a credit card number from you whenever you are ready. And just so that I can make sure that I am speaking with the right person, would you mind confirming your date of birth and social security number with me? Terrific, thanks. You’ll be all set for your appointment next month – see you then!”
Or, perhaps a medical record already contains Social Security numbers, bank account numbers, and other sensitive information. According to the Wall Street Journal, reports suggest that 1,042 breaches of this type of information happened between 2009 and 2019, affecting 159 million Americans. The bottom line: Hackers and thieves are looking for sensitive identification and financial information; medical records are simply the route to get there.
Security is a moral obligation for companies guarding health data
Any organization entrusted with patient health data has a moral obligation to protect those patients by implementing the highest levels of security around their information. HIPAA provides a legal framework, but being “HIPAA-compliant” is not the same as having a strong, rigorously audited security program. For healthcare data companies, it is imperative to invest the time and resources required to build a strong security program that can achieve HITRUST CSF®™ certification.
HITRUST collaborates with privacy, information security and risk management leaders from public and private sectors, and provides access to risk and compliance management frameworks, assessments and assurance methodologies. Companies that seek HITRUST CSF certification must undergo rigorous reviews to ensure their technology meets regulatory, compliance, and risk standards including HIPAA, ISO, NIST, PCI, and state laws.
Organizations that earn the certification must agree to regular audits by independent third parties to demonstrate that they comply with hundreds of controls to protect against potential and incoming threats and that they can ensure business continuity in the event of potential security incidents.
Building the extensive security program required for HITRUST CSF certification may very well create a byproduct: an organization that has developed a “culture of security” at every level.
Building a security program and culture that withstand constant threats
Companies that maintain personally identifiable information are under the constant threat of hackers trying to illegally obtain this data. Information security officers should look beyond formal security programs and think about how to actively foster an organizational culture that prioritizes security across all activities.
This means that each person―from the CEO to the newest recruit―must strive to continually educate themselves about external threats, possible ramifications, and their own role in securing and protecting data. It means that people within the organization are regularly talking and thinking about security. And it means that the organization’s security experts are easily accessible to all employees, consulted on a regular basis, and viewed as helpful resources for matters both large and small.
Creating this kind of organizational security culture is especially important in any organization that manages data for large populations, such as those working in value-based care arrangements. However, the need for a culture and set of values that prioritize security extends beyond just the population health providers that use sensitive health data to guide patient care. Population health providers’ partner organizations must also demonstrate a commitment to protecting patient health information with the highest levels of security.
The challenge for population health providers is that they don’t know what they don’t know about potential partners. What assurance do they have that prospective partner organizations share their deep dedication to the moral obligation of protecting sensitive patient information? That question, at its essence, captures the value of the HITRUST CSF certification.
For population health management organizations, the certification signals that potential partner organizations have met―and in some cases exceeded―the industry’s leading regulatory, compliance, and risk standards for data security. Think of the certification as a beacon, signifying that any technology company that obtains it has proven its ability to build a culture of security that has resulted in the industry’s best-available protection of sensitive patient health data.
The HITRUST CSF certification stands for certainty, confidence and security in population health management technology partners. Don’t accept anything less.
About Bob Dupuis
Bob Dupuis is the Vice President of Enterprise Architecture and Security at healthcare data and software company Arcadia, the leader in population health management.