Compliance form and gavel in the court.
With regulatory requirements abound, few industries are as familiar with information security as the healthcare sector. But, as more providers lean on the flexibility of cloud computing and digital information systems, safeguarding sensitive data has never been more complicated.
Indeed, data protection isn’t what it used to be. Long gone are the days when an organization could simply lock away its records, entrusting physical security controls to keep personal data safe from prying eyes.
The good news? Cloud security compliance standards may finally be right around the corner. In this blog, we’ll discuss the healthcare industry’s pressing need for cloud compliance and why one security framework is poised to usher in a new era of standardized compliance requirements.
The problem with HIPAA compliance
Before you can understand where healthcare security compliance is headed, it’s important to recognize where it began. Of course, we’re talking about the Health Insurance Portability and Accountability Act (HIPAA).
What HIPAA does and doesn’t do
Realizing the need to modernize healthcare information security, the U.S. government enacted HIPAA in 1996. This law created a national compliance standard and a series of regulatory requirements that all covered entities are required to follow. Under HIPAA, a covered entity includes any healthcare provider, clearinghouse or other organization that processes protected health information (PHI).
Notably, HIPAA also applies to the business associates of any covered entity, such as their third-party vendors and software providers. By rule, before a covered entity can engage an independent software vendor (ISV) or cloud service provider, they must first enter into a Business Associate Agreement (BAA). A BAA holds the ISV or cloud provider responsible for protecting sensitive data.
The only problem? It doesn’t necessarily describe how that personal data should be protected. In other words, the BAA holds the vendor accountable, but it doesn’t provide any guidance or standardized security framework that describes how it can best control and secure the application.
Hackers targeting cloud-based information systems
Without a nationally mandated cloud security framework, most organizations are taking an ad hoc approach to data protection. That’s a big issue, and here’s why: Cloud adoption has skyrocketed across the healthcare landscape in recent years — and it’s not slowing down. In fact, the healthcare cloud computing market is expected to double by 2027.
Whether it be a public cloud like Google Cloud or Microsoft Azure, or a private cloud environment, attack surfaces are expanding with every new cloud service deployment. In turn, it’s become exceptionally difficult to control the flow of personal data. Unsurprisingly, hackers have taken notice.
Federal data shows that healthcare breaches exposed nearly 400 million patient records between 2010 and 2022. According to Healthcare Dive’s analysis, the number of breaches has increased almost every year since reporting first began in 2009. In fact, the number of breaches reported each year tripled between 2010 and 2022. Altogether, about 50 million people’s personal data was exposed last year.
HITRUST security explained
As cloud adoption accelerates and threat vectors continue upping the ante, healthcare organizations, regulators and consumers alike have taken a renewed interest in data security. Eager to secure sensitive data, more HIPAA-covered entities are looking for ISVs and cloud service providers that can offer certifiable proof that their security controls are up for the challenge.
Fortunately, that’s where the Health Information Trust (HITRUST) Alliance comes into play. Founded in 2007, the HITRUST Alliance aims to simplify cloud compliance by unifying covered entities under one Common Security Framework (CSF). As one of the most rigorous cloud security standards in the world, HITRUST CSF assures that certified applications are safeguarded against cyber risk.
The manifold benefits of HITRUST are felt throughout the healthcare landscape. Not only can it help covered entities and business associates comply with HIPAA’s compliance requirements, but it also helps them better protect sensitive information. According to HITRUST, over 80% of hospitals, 85% of insurers and many other organizations are leveraging the CSF to do exactly that.
Federal mandate: The next step for healthcare cloud security?
More than just a healthcare problem, data security is an emerging threat to personal data across the United States. Over the past decade, government agencies have gradually implemented more stringent cloud security standards at both the federal and state level.
Momentum increased in May 2021 when President Biden issued a broad Executive Order recognizing the need to update the country’s cybersecurity. Later, in late 2022, Deputy National Security Advisor Anne Neuberger announced plans to introduce new cybersecurity standards to the healthcare industry in the near future. Only one month later, President Biden codified the Federal Risk and Authorization Management Program (FedRAMP), officially mandating the initiative for all federal agencies.
These events sparked speculation that a federally mandated, healthcare-specific framework could soon be in the works. Looking down the pipeline, it appears likely that a potential mandate would be based on the HITRUST CSF.
As part of its new National Cybersecurity Strategy, the federal government announced plans to move the burden of data security away from critical infrastructure operators — healthcare providers included — and onto their third-party vendors.
“Too many vendors ignore best practices for secure development,” says the Biden Administration. “We must begin to shift liability onto those entities that fail to take reasonable precautions to secure their software.”
With HITRUST’s rigorous set of security controls, ISVs can offer certifiable assurance their products are adequately protected against persistent threats. If a federal mandate arrives, it’s very possible these measures set the foundation for its eventual compliance requirements.
Obtaining HITRUST compliance
All this talk about a federal mandate raises an obvious question: What does this mean for ISVs?
Most importantly, the law would compel ISVs to implement, maintain and continuously monitor a complex array of security controls. Without cloud compliance, a healthcare organization couldn’t legally engage a service provider if it hasn’t met minimum cloud security standards. In other words, ISVs would be barred from selling to the healthcare sector.
That said, not much else might change. As noted, the vast majority of healthcare providers are already vetting their cloud products through the HITRUST CSF. If the security framework becomes federally mandated, certified solutions would already be compliant. This suggests that ISVs can get ahead of a possible mandate by obtaining HITRUST certification in the meantime.
However, HITRUST cloud compliance is anything but easy. Modeled on the NIST Cybersecurity Framework, HITRUST requires ISVs to enact hundreds of controls and to certify these measures through an official assessment. The validation process can be time-consuming, difficult, and very expensive. In fact, it often takes multiple years and millions of dollars to complete it from start to finish.
That’s why Project Hosts created a better solution. Using our turnkey compliance services, you can simplify the process and easily obtain HITRUST certification.
By connecting your application to our pre-audited cloud platform, you can greatly reduce the burden of implementing, maintaining, and monitoring security controls. Why? Because we have them covered.
Contact our team for more information about how Project Hosts simplifies healthcare cloud compliance.
