By Matt Siwicke, CISO
HITRUST Certification Reflects NextHealth’s Commitment to Client Data Security
Read the press release on NextHealth Technologies HITRUST Certification here
The healthcare industry ranked as the second highest target amongst hackers and cybercriminals in 2016. According to HIPAA Journal, 1,800 data breaches from healthcare organizations in 2016 exposed over 170 million patient records. Cybersecurity is a critical focus area for the healthcare industry. In fact, the FBI recently cautioned healthcare organizations of increased cyberattacks. Healthcare executives manage, move and maintain sensitive information. NextHealth Technologies takes information security very seriously. Data security is a key foundation of our business so the company pursued the HITRUST CSF certification in mid-2016 to provide clients with verifiable evidence of effective data security practices.
Rather than just say “we are compliant”, we chose to show proof of compliance and risk management practices to give our clients verifiable peace of mind.
HITRUST is a certifiable Common Security Framework (CSF) that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. HITRUST was developed in partnership with both healthcare and information security experts.
HITRUST CSF is built on International Organization of Standards (ISO) and International Electrotechnical Commission (IEC) standards 27001:2005 and 27002:2005 and incorporates other healthcare information security-related regulations, standards and frameworks such as ISO, NIST, PCI and HIPAA. HITRUST CSF ensures a comprehensive set of baseline security controls are in place and provides prescriptive coverage of these standards.
HITRUST is being widely adopted as the gold standard for healthcare companies and for good reason. It includes important pieces of multiple widely adopted frameworks and regulations and is third-party verified to keep organizations honest. Independent verification is important for healthcare companies. Many companies that comply with the HIPAA rule still don’t have secure practices. HITRUST forces, and enforces, more secure practices. When it comes to information security and protecting client data, actions speak louder than words.
Obtaining HITRUST certification is hard
Achieving certification under the HITRUST CSF Certification takes an average of 24-30 months to obtain and requires a sustained focus and commitment.
Because we made it a corporate priority to verify protection of client data and tightly managed the certification process, NextHealth obtained certification in only 11 months – less than half the time it takes most organizations to get certified.
“Data security is increasingly critical to healthcare organizations. NextHealth was committed to obtaining the HITRUST CSF certification as quickly as possible.”
The NextHealth information security team approached the certification process with the mission of securing our network without affecting productivity and workflow. We dedicated infrastructure and security experts to ensure controls were implemented correctly. The team included a security engineer, network/systems engineer, CTO and legal counsel. Securing buy-in and executive support was critical.
We implemented the framework after we wrote policies and created processes to support the policies. It’s important to write the policies first, then create the processes and finally implement. Organizations that try to do policies and processes at the same time run the risk of the network and infrastructure being incorrectly documented.
How we approached certification
We outlined a defined approach by each certification domain and addressed each domain independently. We set aside interdependencies when they arose and revisited them once the interdependency was addressed.
“Third party Independent verification is the gold standard for healthcare companies – so that’s what NextHealth focused on.”
The implementation team conducted weekly standup meetings with a third party assessor (Meditology) and approached certification with a project-based approach. Weekly meetings were very detail oriented with clear action items. This bias toward action kept the team on task.
We delivered monthly reports to the senior leadership team which included the CEO. NextHealth Technologies’ CEO Eric Grossman was very engaged at a granular level which was positive.
- Staff properly – Staff your team with the right talent and allow them cross-functional access to the organization.
- Communicate often – Communicate throughout the process to ensure changes don’t impact workflow and productivity.
- Sustain momentum – Plan, stay on task, and demand accountability or risk significant project overruns or never achieving certification.
- Secure support – Get and sustain senior executive and organizational support.
- Document first – Document policies and processes upfront before jumping in.
NextHealth improved its information security practices faster and more thoroughly by making certification a priority and focus area. This allowed NextHealth to better protect company and client data.
If you’d like to learn more about how NextHealth can help your organization reduce medical costs using our prescriptive analytics and consumer engagement platform, please contact us.