Check Request Status610-994-7500

HITRUST—What It Is and Why It Matters

What is HITRUST?

Founded in 2007, the Health Information Trust Alliance (HITRUST) evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to “champion programs that safeguard sensitive information and manage information risk for organizations,” HITRUST provides broad access to common risk and compliance management frameworks.

For example, the HITRUST CSF®, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance.

HITRUST regularly updates the CSF to incorporate new standards and regulations to make sure the framework remains relevant and current. As new regulations and security risks are introduced, provider organizations and third parties that adhere to the CSF can be well prepared with optimal security based on quarterly updates and annual audit changes.

Why HITRUST Is Important to BA Risk Management

As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their Business Associates (BAs) is critical. Conducting due diligence is essential before the partnership begins, and is part of the provider’s ongoing risk analysis to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI). In recent years, many provider organizations have incorporated the HITRUST CSF as part of their third-party assurance process—requiring that BAs obtain CSF certification. This is largely due to the increased number of breaches involving third-party vendors.

Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.

With those priorities top of mind, MRO announced in May 2018 that its Release of Information platform ROI Online® had earned HITRUST CSF Certified status for information security. HITRUST incorporates a risk-based approach that includes federal and state regulations and standards to help organizations address challenges through a comprehensive framework of prescriptive and scalable security controls.

As healthcare’s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is already in place.

To learn more about the importance of HITRUST CSF and MRO’s journey to achieve certification, watch our video “MRO’s PHI Disclosure Management Platform ROI Online® Earns HITRUST CSF® Certification.”

Sign Up for Future Blog Posts

Read More

Webinar Recap: Cybersecurity- Protecting Your Healthcare Enterprise

On August 15, 2018, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part healthcare compliance webinar series. In this webinar titled “Cybersecurity: Protecting Your Healthcare Enterprise,” we covered points that healthcare organizations should consider to safeguard Protected Health Information (PHI) and increase their overall security posture.

Access Management

Policies and Procedures

HIPAA requires a number of administrative safeguards to protect PHI, specifically ePHI. Policies and procedures must be in place to ensure implementation and maintenance of appropriate protection.

• Workforce security is a critical piece to guide the proper use of PHI by anyone who is allowed access—including physicians, employees, volunteers and BAs.
• Information access authorization specifies who has access and why, based on minimum necessary guidelines.
• Ongoing security training supports accountability and access management.

Threat Prevention, Detection and Response

Prevention

Even with the most advanced technology, granting people access to systems remains one of the highest risks of introducing the possibility of serious incident. Attendees were reminded that policies and technologies must have additional controls in place:

• End user education and social engineering testing
• Strong passwords and account creation steps
• Malicious software protection
• System hardening practices

Detection

If something goes awry, it is important to have alert mechanisms in place—automated, manual or a combination of the two. For example, manual alerting includes 24-hour hotlines to report suspicious behavior. Technology applications such as FairWarning automatically trigger alerts to potential privacy violations. System log reviews are a good indicator of behavioral anomalies. Best practice is to leverage technology to automate data protection and ensure proper detection.

Response

In the event of an alert across the enterprise, a tested and documented incident response plan is necessary to ensure immediate response to a breach. The plan should include defined roles and responsibilities, testing scenarios and cyber insurance impacts. How will your organization ensure breach prevention considering the penalties being levied for high-exposure incidents?

At MRO, we have a dedicated incident response team. Part of their responsibility is to know state specifications, timeline controls and documentation requirements for proper reporting to the right people at the right time.

Information Governance

Information Governance is integral to an effective data security program. Incident response should be part of an enterprise information governance program—policies, procedures, tools and techniques that an organization applies to safeguard information and systems. Data classification and data mapping are essential tools to guide system impact assessments. Think about how and where your data goes and the importance of protection throughout its life cycle in your custody.

Risk Register

A risk register is a vital tool that lists all identified risks along with your organization’s risk score, responses, triggers, consequences and related information. Unlike a one-and-done document, this register is a fluid living document that must be constantly updated to reflect an accurate assessment of risk management and your security posture.

Cyber Extortion

With ransomware on the rise, user awareness training is more important than ever before. Additional protection measures include a formal ransomware policy and use of sophisticated technology to minimize attacks. Attendees received insights based on various types of cyber extortion including email and texting, along with examples of protection activities to promote cybersecurity.

To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.

Request MRO's Cybersecurity Webinar

Read More

AHIMA Convention Reflections: Business Associate Management and Best Practices for Risk Analysis

At the 2017 AHIMA National Convention and Exhibit, Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, and I co-presented a session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis.” In this presentation, we discussed ways to manage risk associated with Business Associates (BAs) for Covered Entities (CEs).

Rita and I reviewed industry trends around the renewed focus on vendor relationships and compliance, and the Office for Civil Rights’ (OCR) increased scrutiny of BAs. We covered many key components of thorough due diligence when evaluating BAs, and the necessary ongoing risk analysis once partnered.

The audience learned best practices that they can incorporate into their risk assessment process, which will make Business Associate management more bearable. Below is a video interview where I recap the presentation.

Video Recap: Managing Risk Associated with Business Associates for Covered Entities

 

Video Transcript

Anthony: I am Anthony Murray, Vice President of Information Technology for MRO.

Question: Tell us a little bit more about your presentation and the topic of BA Management.

Anthony: Today, Rita Bowen and myself presented on managing risks associated with Business Associates for Covered Entities. I think primarily what we were trying to drive home was a consistent approach to assessing risk when doing business with Business Associates within the Covered Entity space. It is a broad and deep topic. We covered a lot of different ways and concepts, so hopefully they came away with some ideas that they can incorporate into their risk assessment process to hopefully make their dealing with BAAs (Business Associate Agreements) a little bit more bearable.

Question: What best practices did you discuss during your presentation?

Anthony: We talked a lot about access controls, understanding the governance that’s in place, and trying to read the maturity scales of the Business Associates. What it really boiled down to was hopefully distilling down and understanding the services that the vendor is providing and associating the appropriate risk level to them. Based on the risk level, you hope to identify how deep into the privacy and security controls that they have in place are important to you as a company.

Question: What is MRO doing to address this topic?

Anthony: MRO is doing a number of things to help address this topic. One, is we have ongoing certifications to help augment what our CEs are going to do to assess us from a risk perspective. So, we’re trying to achieve things like HITRUST and perform our SSAE 16 and SOC type 2 audits. In addition, we also employ a number of very transparent controls that we talk about from the very onset of our relationship with our clients. How we manage access controls, how we report incidences and privacy threats all the way down to even giving access to our end user ongoing training seminars.

Question: What are some of the biggest trends and themes you’ve noticed at this year’s convention?

Anthony: I actually think this was one of the bigger topics between cyber and general privacy concerns with some of the changes in legislation. What you’re seeing is a continued focus on the business associates and risk they present. We saw a lot of good traction that we’re getting the paper work done when it comes to managing your business associates, but continuing to develop and look at the threat profile of the BAs continues to be a hot topic here.

Question: What is your favorite part about AHIMA?

Anthony: My favorite part of AHIMA is being around people who are all sharing the same struggles, challenges and opportunities that I’m facing. As a Business Associate, I’m confronted with CEs and other other agencies like ourselves that provide services to these hospitals all dealing with the same problems and being able to come together as a community and discuss it is just so reassuring that we’re not left out on an island.

To download slides from MRO’s Business Associate Management presentation, complete the form below.

DOWNLOAD MRO’S BUSINESS ASSOCIATE MANAGEMENT PRESENTATION

Read More

Five Ways CEs can Mitigate Breach Risk Associated with BAs

As advancements in health information technology allow increased access to Protected Health Information (PHI), the risk of breach is on the rise. In 2017 alone, there have been 233 reported data breaches, which have impacted 3,159,236 patients. This steady climb suggests that Covered Entities (CEs) and Business Associates (BAs) are still struggling to establish the measures needed to protect patient data and confidentiality.

CEs must be vigilant about the risks and threats directly related to their activities. And now more than ever, they need to focus on the additional threat vector presented by their BAs. As you would expect, the types of breaches encountered by BAs are similar to the threats facing CEs. The causes of breaches include malware/ransomware incidents, accidental disclosures, loss or theft of media containing sensitive data, physical loss of records, application and system vulnerabilities, social engineering exploits and payment fraud. While there are many different culprits of breach, improper and accidental disclosure of PHI is the most common cause of data security incidents. These improper disclosures of PHI include a wide range of errors such as comingled records and misdirected faxes and emails.

The impact of BA breaches on patients of a CE can run deep—from cases of identity theft to exposure of sensitive information regarding a condition, treatment or test that could lead to harm, embarrassment or discrimination. If fines are levied, sanctions and actions will be held against the CE as well.

In an upcoming AHIMA Convention educational session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis,” my colleague Rita Bowen, MA, RHIA, CHPC, CHPS, SSGB, and I will review ways CEs can mitigate breach risk associated with BAs. The following is a sampling of what we will discuss.

    1. Perform initial due diligence. Identify what services are being performed, where the services are being performed, and what contracts should be in place including Master Service Agreements (MSAs), Business Associate Agreements (BAAs), Nondisclosure Agreements (NDAs), Data Use and Reciprocal Support Agreement (DURSA) and others.
    2. Get your security and compliance teams on board early in the process to avoid delayed services or rushed assessments. I cannot tell you how many meetings I’ve attended with our prospective client’s security and compliance teams, when we are just days away from finalizing a contract, and their opening statement is: “Well this is the first time we’re hearing of this. Let’s start from the beginning.” So, we just lost two weeks getting a project started, and the client needs us to go live in seven days. To avoid these types of delays, it’s recommended to have security and compliance teams involved in the onboarding of new partner services and technologies early in the process.
    3. Have a standard assessment. Have an equal way to measure the risk associated with the various services BAs can provide. No one shoe fits all, but attempting to keep the assessment process as standardized as possible allows for better assessments of risk. This assessment should cover all the applicable administrative, physical and technical controls associated with the services provided—all shoe sizes!
    4. Confirm cyber insurance. Make sure your BAs have adequate cyber insurance protections in the event of a breach—based on the services being delivered and the associated risk.
    5. Perform annual reviews and third-party assessments. Healthcare organizations should implement a formal program to review their BAs on an appropriate schedule. This would include your typical or an abridged assessment and any third-party certifications, accreditations or audits your BA has achieved.

    Complete the form to download the HCPro HIPAA Briefings article “Managing HIPAA Business Associate Relationships.”

Download "Managing HIPAA Business Associate Relationships”

Read More

HIMSS17 Reflection: Security Driven to Forefront of Compliance

It’s wonderful to be surrounded by likeminded people seeking solutions to similar business challenges, and the annual HIMSS Conference and Exhibition always proves such an occasion for Health Information Technology (HIT) and Health Information Management (HIM) professionals. This year, over 42,000 HIT and HIM professionals, executives and vendors convened in Orlando for cutting-edge educational and networking opportunities.

My primary focus at the conference was to explore how today’s challenges can be turned into opportunities to strengthen MRO’s security posture and compliance stances, and also to provide more secure and efficient ways of exchanging Protected Health Information (PHI).

Privacy has come a long way in a handful of years, and now security is being driven to the forefront of compliance regulations. Here are some takeaways:

General Threat Detection

As the risk and threat landscape continues to evolve, organizations need to adapt. We must be ever-diligent in applying the proper safeguards, like implementing evolving and adaptive multi-tiered and multi-layered technologies to protect our sensitive assets, such as clinical, pharmacy or patient data. One specific threat facing healthcare organizations is ransomware.

Ransomware

Ransomware attacks – the hijacking and encrypting of an organization’s data by cybercriminals for purposes of extortion – are a major source of risk. These attacks are typically caused by employees clicking malicious links in emails or unknowingly opening files containing a malware virus, rendering data inaccessible.

Humans continue to be the weakest link in the healthcare security chain. Ongoing staff training can mitigate this risk. Regular training activities, like phishing exercises, can help instill security best practices in employees. Business Associates (BAs) should also provide regular ongoing training to their employees.

Third Party Vendor Management

Third party vendor management is another tough challenge facing the industry. Whether it comes from compliance requirements imposed by Covered Entities (CEs) on their BAs or requirements trickling down to vendors partnered with BAs, establishing trust and providing accurate assurances are necessary to operate in the medical space today. Risk assessments are a large part of this. Whether organizations are assessing themselves as part of their ongoing risk management programs, conducting formal third party assessments or engagement level assessments, all organizations need to conduct ongoing risk and third party due diligence.

The adoption of common privacy and security criteria healthcare organizations can attest to through groups like the Health Information Trust Alliance (HITRUST), and then trust many times over, has been slow but encouraging. Benefits of such attestation include minimized maintenance and management of third party assessments.

HIT and HIM professionals must be prepared to implement newer controls, provide more adaptive and holistic threat and breach management, and prepare to deal with and recover from the potential technical incidents impacting our organizations.

Learn more about third party vendor management in the MRO blog post “Four tips for Business Associate and subcontractor management.”

Sign Up for Future Blog Posts

Read More

Leveraging Technology for Accurate and Efficient Disclosure of Protected Health Information

Resources

Lancaster General Health/ Penn Medicine’s Charlotte Walton-Sweeney, RHIT, Director of Health Information Management, and MRO’s Anthony Murray, Vice President of Information Technology (IT), explore how IT is helping healthcare organizations cut processing times while ensuring accurate Release of Information.

ADVANCE for Health Information Professionals
Leveraging Technology for Accurate and Efficient Disclosure of Protected Health Information
Lancaster General Health/ Penn Medicine’s Charlotte Walton-Sweeney, RHIT, Director of Health Information Management, and MRO’s Anthony Murray, Vice President of Information Technology (IT), explore how IT is helping healthcare organizations cut processing times while ensuring accurate Release of Information.

Read More

2017: Predictions for Health Information Management

2017 Bulb Sign

I recently sat down with my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, MRO’s Vice President of Privacy, Compliance and HIM Policy, to talk about our predictions and expectations for 2017 regarding Health Information Management (HIM), specifically our areas of expertise – privacy and security.

There are many unknowns with the incoming administration – some initiatives could be strengthened, some weakened, some totally done away with – but there are some things that will undoubtedly stay relevant, at least for some time, which we’ll cover in this blog.

Focus on vendor relationships and Business Associate compliance

Over the past few years we’ve seen an influx of third party risk assessment surveys at MRO. In addition to initial surveys during the evaluation phase, annual surveys are now more common. This focus on privacy and security stems from the 2013 Omnibus Rule, which updated HIPAA and HITECH. These updates made Covered Entities (CEs) responsible and financially liable for their Business Associates (BAs), and also made BAs responsible for any associated penalties.

With this in mind, the creed for CEs conducting due diligence should be “trust but verify.” Be sure to partner with the appropriate people and organizations, and use a standardized assessment to ensure potential BAs are focused on privacy and security and have the proper staff in place, in terms of both headcount and skillset.

Patient-generated health data and telemedicine

The rise of patient-generated health data and telemedicine continues to impact HIM, and we predict it will present ongoing challenges to be addressed in 2017.

Some of these challenges include the increased use of patient portals and unencrypted personal devices, as well as a growing interest in population health. Deciding how to incorporate this new information into health records, along with developing a plan for managing and releasing patient-generated data should be an integral part of every Information Governance strategy moving forward.

OCR guidance on patient access

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) stated they will release new guidance on providing patient access to Protected Health Information sometime during the first quarter of 2017. This guidance is expected to include further direction on Release of Information requests from attorneys, a source of perpetual confusion.

So, what do we know for sure going into 2017? Be ready for anything.

Fill out the form below to receive our monthly newsletter and stay up to date with the latest news from MRO.

Receive our Monthly Digital Newsletter

Read More