In the first part of our security series, we focused on the most widely recognized standard of PHI security – HIPAA Compliance. For this second part, we will focus on another important standard (HITRUST), and how you can protect yourself if you are using a 3rd party hosting platform.
HITRUST is another important security standard that you should ask your technology provider about. It is a set of controls created to meet the requirements of multiple security standards such as ISO 27000 and HIPAA. So, it goes beyond what HIPAA regulates and further into the IT security realm. Unfortunately, certification costs are in the mid 6 figures so many businesses do not pursue it. However, a firm can get what’s called a “HITRUST Fast Assessment” – which can be requested by an organization to evaluate a technology firm’s readiness to meet the HITRUST standard. Ask to see if your technology provider has a fast assessment report – if they passed the assessment, it means they have good controls in place for HIPAA and other cyber-security threats. If they can’t provide you with a report, you might be exposed.
If you host the software on your own servers, you are in control of the data and can ensure that the proper safeguards are put in place. But what if your vendor is hosting the software? Check to see if their hosting center is a Tier 3 Certified Data Center with Multi-Factor Authentication for access, and whether they have certifications from accreditation bodies such as SSAE 18 SOC-1, ISO 27001, PCI DSS, HIPAA and HITRUST. Confirm they have administrative safeguards such as security information and event monitoring (SIEM) and incident management should an exposure be found. Be sure to be comfortable with the answers your vendor is giving you.
Technology is a great way to reduce administrative burden and increase the member experience. To ensure your data is properly safeguarded, it is important to ask your prospective vendor questions about their security position. Ask to see the details of what they are claiming before committing to them. Otherwise, you could find yourself in a precarious situation with your member’s data, and your reputation, at risk.