By Max Anfilofyev
In 2020 and 2021, many hospitals transitioned patient visits from in-person to virtual as a result of the pandemic, and cybersecurity became a top-of-mind concern in the halls of the administration offices.
Already stretched to their limit before the pandemic, hospital information technology staff suddenly faced the unexpected demand for virtual care capabilities. In a rush to build programs, many hospitals allowed providers to use personal phones and consumer video chat applications, limiting the effectiveness of established security controls and introducing significant information security risks.
Though the ad hoc connectivity enabled clinicians to diagnose and treat patients while limiting the risk of COVID spread, security professionals recognized that the continued use of telemedicine would require significant improvements to information security controls.
As healthcare organizations in a post-pandemic economy seem poised to continue their investment in telemedicine capabilities, significant information security risks are set to arise. To mitigate these risks, hospitals must ensure that their telemedicine technology providers can keep patient information safe. For a hospital that already manages on average 1,300 vendors, adding another to the list may feel unappetizing.
However, there is good news. Hospitals and health systems can easily evaluate if a prospective telemedicine provider can keep your information safe while deploying programs on your behalf – by checking whether the provider holds a HITRUST certification.
HITRUST provides a simple and straightforward litmus test for data security: those who have not achieved HITRUST certification either lack the security and compliance practices necessary to achieve the industry-standard certification or have other mitigating factors organizationally. The absence of the HITRUST certification is a red flag.
Achievement of HITRUST certification signals that the organization has implemented data security at every touchpoint. From its people and processes to its systems—and at every point in between—your partner has implemented controls to keep your data secure.
This kind of commitment to data security sets organizations apart in today’s hyper-digital marketplace. Because data breaches can cost your organization billions of dollars, HITRUST becomes the must-have seal of approval. Health systems should use this certification as a standard when determining whether their prospective partners have implemented sufficient administrative, operational, and technical controls to meet safety and compliance obligations.
After all, HITRUST certification represents the successful result of an extensive independent verification of whether an organization employs appropriate data security and privacy practices. The lack of this kind of guarantee is a non-starter.
When it comes to a potential data breach, the threat is real. Because sensitive healthcare data fetches a princely sum on black markets, hackers disproportionately target the healthcare industry. For this reason, HIPAA and other heavily-regulated governance initiatives legislate that a healthcare provider and its vendors retain a strong security posture. As a result, hospitals and health systems require data security at all times and nowhere more so than from technology vendors.
Achieving data security as a technology vendor in today’s healthcare space is a never-ending effort, extending to every role in the organization. Security efforts must start with policies supported by procedures that ensure policies are implemented. Atop those procedures are auditable paper trails, multifactor authentication, and other redundant, layered measures and countermeasures.
To achieve HITRUST, an organization must maintain hundreds of controls spread across every part of the organization. An external assessor validates that the organization’s controls documented in its policies and procedures meet HITRUST specifications, and that the organization follows its policies and procedures. To achieve a HITRUST certification, security controls must be everywhere.
Healthcare data security leaders acknowledge the challenge of achieving HITRUST certification. The certification initiative can take years even at an organization that already has implemented most of the policies and procedures.
The result is worth the sacrifice for several reasons. An obvious benefit is that implemented information security controls thwart significant data breaches. In addition, the lack of a need to worry about information security enables healthcare providers to focus on providing better care for patients.
After all, security in and of itself is not the goal of a health technology’s end user. Better care is. Your hospital, your health system exists to provide the best care possible, to help people live richer and healthier lives.
As you assess emerging telemedicine tools, consider that through better and more secure technology, your organization can focus on saving lives, reducing costs, and gaining efficiencies. By relying on validated HITRUST assessments of its telemedicine technology providers, hospitals and health systems can get back to the business of care.