No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Risk

Managing Cyber Risk in Health Care

by Andrew Hicks
April 24, 2015
in Risk
healthcare risk management

When Anthem, the second largest insurance provider in the United States, revealed recently that its records had been compromised by hackers — resulting in the possible leaking of personal data of more than 80 million present and former customers — the incident became a much-needed wake-up call for the health care industry.

Unfortunately, Anthem is not the first company to experience a major data breach in the past 18 months. In 2014 alone, customer data, credit card information and intellectual property were stolen from Target, Home Depot, JPMorgan Chase, Sony Pictures and many others.  What recent history has taught us is that hackers are becoming more sophisticated, attacks are becoming more malicious and no industry or organization is invulnerable.

The public has moved on from asking, “How did this happen?” to asking, “Why does this keep happening?” The attention on privacy rights coupled with the growing costs of major data breaches are elevating the issue of managing the digital enterprise to the board level.

Increasingly, health organizations are looking to minimize their risks and reduce costs by hosting and managing data with third parties. In the battle to win, serve and retain customers, data security and privacy are becoming key differentiators and thus, a top business priority.

Service organizations that move beyond basic compliance measures and can demonstrate data-centric security infrastructures are poised for rapid growth over the next few years. Those companies will take into careful consideration choices for health care compliance efforts, as well as what security gaps are left after compliance efforts are met and how those gaps can be managed

HIPAA and HITRUST: Meeting Compliance Mandates for Health Care

For organizations looking to establish privacy as a competitive differentiator, they may find themselves stumbling through a maze of evolving and conflicting global privacy laws, business partner mandates and compliance mandates. Organizations are at a crossroads when deciding on the proper course of action for compliance with regulations applicable to the health care industry and how to manage risk to the security of sensitive health information.

What is HIPAA?

When it comes to data protection, the HIPAA Security Rule is comprised of three types of safeguards, all of which are designed to protect electronic protected health information (ePHI):

  • Administrative Safeguards: Encompassing over half of the HIPAA Security Rule, Administrative Safeguards define the policies and standard operating procedures for how organizations must comply.
  • Physical Safeguards: Simply put, these safeguards identify how an organization will control physical access to locations where ePHI resides.
  • Technical Safeguards: When properly implemented, these preventative-type controls protect access to ePHI through the use of unique user accounts, automatic account logoff and user authentication, for example.

In addition to the above safeguards, companies that provide services to health organizations have additional requirements for organizational controls and policy and procedure documentation.

HIPAA is a federal government mandate and provides a basic compliance rule book, but experienced providers looking for an actionable roadmap to securing access and exchange of patient data often take the next step to obtain a HITRUST audit.

What is HITRUST?

The Health Information Trust Alliance, or HITRUST, is an organization gaining rapid awareness and credibility in the health care industry. Developed by health care and IT professionals, HITRUST’s Common Security Framework (CSF) helps health care organizations and business associates safeguard patient information through a more robust and prescriptive manner than a HIPAA Privacy or Security Rule assessment. Additionally, the framework also harmonizes other frameworks and regulatory compliance areas into a single framework that scales to organizational size and complexity. For these reasons and due to the amount of rigor associated with achieving HITRUST certification, it is often referred to as the “high-bar” for HIPAA compliance.

When you consider that virtually every health care service organization has more than one compliance obligation, the advantages of a HITRUST assessment become clear. Requirements for HITRUST can be translated and cross-referenced into multiple regulations and frameworks, including HIPAA, NIST, ISO, PCI, FTC Red Flag, and COBIT.

Considering the Difference Between Compliance Risks and Security Risks

Since the release of the HIPAA Privacy and Security Rules, health care organizations and their business associates have struggled to comply. While HIPAA is the federal mandate, HITRUST offers an appealing alternative to compliance in a more holistic and prescriptive manner.   By doing so, organizations can overcome the majority of criticisms of HIPAA compliance, including the fact that the regulation is nearly 20 years old and is difficult to interpret. Relying merely on HIPAA compliance leaves gaps in an organization’s IT security posture, even when the mandate is believed to have been met.

When it comes to compliance, the world of health care technology can be convoluted. HITRUST certification simplifies compliance by offering providers a tailored set of controls, founded on the expertise and best practices of leading health care IT experts.

HITRUST offers clarity and guidance to these challenges by providing the health care industry with a certifiable framework that incorporates and cross references the requirements of existing standards and regulations while considering organizational risk, including cyber risk. Certified HITRUST CSF assessors, their clients, and the industry as a whole now benefit from an industry-wide methodology that simplifies compliance through a common control, assessment and reporting structure. This allows service organizations of all sizes to become certified and spend less time worrying about compliance and more time focused on improving patient care.

 


Tags: Health Care
Previous Post

Program Management: The Relationship Between E&C and Legal And the Role of E&C Liaisons

Next Post

25 Reasons for Risk Management Failure

Andrew Hicks

Andrew Hicks

Andrew Hicks_headshotAndrew Hicks is the Health Care Practice Director for Coalfire, the global technology leader in cyber risk management and compliance services. Coalfire’s approach builds on successful, long-term relationships with clients to achieve multiple compliance objectives tied to a long-term strategy to prevent security breaches and data theft.  For more information, visit www.coalfire.com.

Related Posts

a man sails into an infographic on a paper airplane

What Healthcare Providers and Life Sciences Companies Can Expect for Enforcement in 2022

by Jaime Jones, Brenna Jenny, Paul Kalb, Raj Pai and Matt Bergs
March 3, 2022

Though the Biden administration's first year kept enforcements light, broad shifts and specific measures taken by regulators are set to...

DOJ hq in Washington

DOJ’s Civil Cyber Fraud Initiative Could Find Health Care Companies Exposed on Multiple Fronts

by Kathleen McDermott and Mark Krotoski
February 22, 2022

The Biden Administration and DOJ intend to pursue cyber fraud through the False Claims Act (FCA), with an emphasis on...

Brain scans are analyzed with the help of artificial intelligence in healthcare.

AI Could Prove the Magic Pill for Health Care, But Compliance Concerns Are a Common Side Effect

by Bernadette Broccolo and Michael Peregrine
February 9, 2022

The COVID-19 pandemic has proven an inflection point for the use of AI and ML technology in the health care...

Illustration of anatomical heart is woven with environmental images.

Why We Need to Add Health to ESG

by John Godfrey
November 2, 2021

As environmental, social and governance (ESG) penetrate corporate boardrooms, one key factor within this mindset barely registered until the onset...

Next Post
risk management failure

25 Reasons for Risk Management Failure

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance Decision-Making DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring Ransomware RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT