A consortium of health care leaders is clearing the way to work together safely in a cloud-based world.
Doing business via the cloud is becoming standard operating procedure for most large-scale companies, including health care organizations. But there are headaches that come along with the efficiency and economy of using public and private internet pathways when working with suppliers and customers. Chief among these concerns is security — as anyone whose personal data has been compromised knows.
Lower Numbers, Higher Stakes
Compared to the business world, health care data breach numbers are lower — but the stakes are higher. In addition to patients’ personal health information, the data that health care organizations may share with third parties via cloud-based software include physician notes, electronic medical records (EMRs), medical images, employee records, banking details, and more. Such detailed patient information makes health care data more valuable and highly desirable to hackers.
At the same time, the use of cloud-based software in health care is increasing — a trend that presents organizations with a significant security challenge that’s only going to grow in scope. “Many of our vendors who provide critical applications — such as EMRs — are aggressively moving to the cloud,” says John Houston, vice president of privacy and information security and associate counsel at UPMC. “In many cases, there will not be an option.”
Extensive Vetting Process for Compliance
Organizations like UPMC have a process to vet the security of potential vendors. It typically involves an investigation and a long compliance questionnaire. It’s a lengthy and labor-intensive process that, until recently, a vendor had to undergo for each prospective health care customer.
That process is changing, thanks to a consortium of top health care leaders nationwide — including UPMC — formed in August 2018. Called the Provider Third Party Risk Management Council (PTPRMC), the organization is tasked with creating a single set of security standards for providers and vendors in health care.
“We believe the health care industry as a whole, our organizations, and our third parties will benefit from a common set of information security requirements with a standardized assessment and reporting process,” says Houston. “We are strongly encouraging other provider organizations to follow suit and adopt these principles.”
A Common Framework for Compliance
To provide this common set of requirements, the council has chosen the HITRUST cybersecurity framework (CSF), along with its assurance programs. All council members are requiring their third-party vendors to become HITRUST CSF certified within the next 24 months. HITRUST CSF certification will serve as PTPRMC’s standard for third parties providing services that require access to sensitive patient information.
The HITRUST CSF Assurance Program is the most widely-adopted assessment approach used by health care organizations and third parties to evaluate and communicate their information privacy and security posture.
“Since many small- to mid-sized providers do not have the capability to assess the security and controls of their vendors, this initiative helps all providers — large and small — to ensure that their data remains secure,” says Houston. “These providers can access the HITRUST information via a portal during the procurement process to ensure that the vendors they’re considering have implemented adequate security and controls.”
Stamp of Approval
By ensuring that vendors share a single information security, privacy assessment, and certification program — such as that offered by HITRUST — health care entities can benefit “plain and simple with four C’s: consistency, cost, commitment, and completeness,” says Houston. “We’re providing the playbook on how to operate securely and work with large systems. If you’re a vendor who wants to work with UPMC or one of the other leaders in health care, you no longer have to go through a long, costly security certification process. Show up at the doors, present your HITRUST CSF stamp of approval, and go to work.”