360° Assurance: Emerging Business Drivers for Provider Certification

April 21, 2017
1207 Views

Written by Brian Selfridge, Partner, Meditology Services.

The healthcare delivery model is dramatically shifting based on advances with Accountable Care Organization models, innovations in healthcare IT, and cross-market acquisitions and partnerships. The lines of responsibility for securing health information are blurring across an increasingly complex delivery landscape. Regulatory enforcement has also ramped in recent years and there is growing pressure for healthcare entities to demonstrate compliance at a moment’s notice.

Large healthcare providers and payers have made a push in the last few years to mandate security certifications for third-party organizations and other business partners that manage or share sensitive information. As a result, many healthcare payers and business associates have achieved or started initiatives in 2017 toward obtaining security certifications including SOC 2® Type II and HITRUST CSF.

This wave of certifications has also begun to take hold in the provider community. Thought-leading healthcare providers have identified the emerging need for HITRUST CSF certification to demonstrate that health information remains protected consistently across the continuum of care as delivery models evolve. In some cases, providers are branching out into the healthcare IT innovation space and are themselves considered Business Associates as they offer and deploy new solutions to the market place outside of their own institutions.

Achieving HITRUST CSF certification for providers requires some calculated maneuvering to avoid common pitfalls that can stifle or doom certification efforts. For example, limiting the initial number of applications and supporting infrastructure to a handful of platforms is critical to achieving certification. Additional applications and organizational units can be included over time, but biting off too much in the first go-round can choke the organization’s resources with the sheer volume of controls and testing required. The scope should focus on those platforms that are aligned with the organization’s business drivers for certification.

A typical healthcare provider has dozens to hundreds of applications and platforms that store and manage sensitive information. HITRUST CSF certification should be limited to those systems that are directly managed by the provider where possible or to applications with strategic importance. Providers should require third-party vendors and cloud hosted platforms to provide appropriate security certifications and thereby reduce the cost associated with undergoing the HITRUST CSF assessment and certification process on their behalf.

Another common challenge for provider certification is failing to allow adequate time for remediation efforts and creating overly aggressive certification timelines. Typical remediation efforts to prepare for certification include the overhaul and creation of a decent volume of supporting policies and procedures. Many providers have formalized policy governance and approval processes that need to be considered as part of remediation efforts.

The wave of HITRUST CSF certifications is likely to continue to grow for providers as the industry grapples with increasing breach events and regulatory and business partner expectations. Providers should take stock of their information security programs and develop a road map for achieving alignment with frameworks like the HITRUST CSF that can be certified over time to demonstrate security maturity and compliance.


Brian Selfridge is a Partner with Meditology Services

You may be interested

Improving the Throughput and Transparency of the HITRUST Assurance Program: July 2020 Update
Assurance
shares131 views
Assurance
shares131 views

Improving the Throughput and Transparency of the HITRUST Assurance Program: July 2020 Update

Lacy Deatrich - Jul 27, 2020

By Bimal Sheth, Vice President of Assurance Services Welcome back for the July update in our series on Improving the…

HITRUST Answers the Call for Adapting Security and Compliance Assessments During Pandemic
Assurance
shares126 views
Assurance
shares126 views

HITRUST Answers the Call for Adapting Security and Compliance Assessments During Pandemic

Lacy Deatrich - Jul 22, 2020

By Michael Parisi, Vice President of Assurance Strategy and Community Development As the COVID-19 pandemic hit, businesses found themselves in…

The Culture of Collaboration During COVID-19
Assurance
shares450 views
Assurance
shares450 views

The Culture of Collaboration During COVID-19

Lacy Deatrich - Jun 26, 2020

By Nicole Tallman, Technical Writer This month, a few members of the HITRUST Leadership Team, including Jeremy Huval, Chief Compliance…