As Healthcare providers and Business Associates (BAs) move to newer technologies and outsourced data models to house and transmit electronic Protected Health Information (ePHI), both the regulatory compliance landscape and the protection of ePHI become far more complex. It can be nearly impossible to comply with administrative, technical, and physical safeguards in the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) with proliferation of ePHI across the enterprise and no sound security framework protecting the cloud.
The current goal of any healthcare organization that houses or transmits ePHI should be to pick prescriptive common security frameworks that act as an overall governance model. This allows the organization more than just a clear and concise path to base adherence to the HIPAA security rule, it can move the entire organization to a stronger overall security posture.
Ambiguity in the HIPPAA Security Rule
To gain greater clarity on what framework to choose, look at the inherent flaws of the HIPAA Security Rule itself. The language throughout the rule is vague. Language such as “reasonable protection” is pervasive throughout the rule, but does not specify what constitutes “reasonable protection of ePHI.” This type of ambiguity allows for broad interpretation and gives no guidance on illustrative controls that can be implemented to protect ePHI. This puts security and audit professionals in the position of implementing ad hoc processes and procedures with no guidance from a prescriptive governing framework.
The Need for a Standardized Framework
The National Institute of Standards and Technology (NIST) issued a special publication (SP 800-66), attempting to add some clarity by offering a set of illustrative controls to the Security Rule. However, these guidelines still do not go far enough. The NIST guidance is not specific to healthcare. Thus, it continues to cause ambiguity around specific controls needed to protect ePHI, as healthcare organizations continue trying to fit their compliance needs into a framework it was not specifically designed to support.
This problem is not specific to any single organization; rather, it is a systemic problem throughout the entire healthcare industry. With healthcare organizations all utilizing different piecemeal security control models to protect ePHI, no one is “talking the same language.” As the proliferation of data sharing continues to grow, the need for a standardized approach becomes even more critical.
What is HITRUST CSF?
Enter the HITRUST CSF. The Health Information Trust Alliance (HITRUST) Control Security Framework (CSF) was created by healthcare IT security professionals to ensure information security controls become a core tenet of the technology environment protecting healthcare organizations. This framework combines controls from ISO 27001, NIST, PCI, and Cobit, and can be used by healthcare organizations to meet a diverse set of regulatory requirements while improving their overall security posture. The prescriptive nature of the HITRUST CSF provides healthcare organizations the requirements and best practices needed to implement a true healthcare IT security governance framework throughout the enterprise.
An added benefit: as adherence to the HITRUST CSF gains traction, it allows the industry as a whole to be able to “speak the same language.” With providers, insurers, pharmacies, and health IT organizations adhering to a common security framework, the task of vendor management becomes considerably less burdensome and complex. The HITRUST CSF is also validated by a 3rd party HITRUST assessor, so the need to produce multiple and costly assurance reports is no longer necessary.
For organizations, the HITRUST CSF provides a flexible, scalable, and unified approach to meeting HIPAA security rule requirements and improving overall security through its prescriptive controls. Through the CSF, providers and business associates alike receive a trusted benchmark created by healthcare industry experts to meet the unique challenges of healthcare security and satisfy the requirements of the HIPAA Security Rule.
