Telemedicine Cybersecurity: Lessons from HITRUST Certification
As patient visits transitioned from in-person to virtual during the pandemic, telemedicine cybersecurity became a top concern for many hospitals. In an industry that processes the most sensitive information about our lives, that is not surprising. The good news is that healthcare organizations can rely on HITRUST certification to confirm that their partners have implemented administrative, operational, and technical controls for telemedicine cybersecurity. Max Anfilofyev, VP of Product Management for SOC Telemed (SOC), explains why healthcare organizations should use HTIRUST to improve their vendor security management.
Too many vendors, too little time
The average hospital has relationships with 1,300 different vendors, many of which provide solutions such as medical equipment, EMRs, imaging, and billing. Hospital information security does not have time or budgets to interview vendor staff or for onsite visits to ensure that their vendors have implemented required security controls. Instead, many hospitals ask vendors to fill out lengthy security assessment surveys to identify potential risks. Hours are spent reviewing the survey responses and chasing down additional information. Some hospitals outsource these evaluations, which is a costly endeavor. Document reviews are not as effective as onsite interviews and may miss security flaws bad actors could exploit.
More than half of healthcare vendors have experienced at least one data breach of patient protected health information (PHI) belonging to the healthcare providers they serve. With only 6% or less of the information technology budget typically allocated for cybersecurity, it is no wonder hospitals experience breaches. In fact, in just the top ten healthcare security breaches in 2020, over 10 million patients had some parts of their data leaked.
Effects of the pandemic on telemedicine cybersecurity
Hospital information technology staff was already stretched thin before the pandemic. Then we asked them to implement virtual care capabilities almost overnight. Many care providers used their own phones and tablets to connect with patients, limiting the effectiveness of established security controls. While health organizations adjusted and figured out how to provide patient care virtually, these new operations came with significant information security risks.
As more care becomes virtual, hospitals will invest in more technology with multiple vendors, only compounding risk and complexity.
So, what is the solution? It starts with a strict prescriptive security standard designed for health care, HITRUST certification.
Benefits of HITRUST certification for hospitals
HITRUST certification maps to multiple security standards, including HIPPA and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, as well as state-specific regulations. Unlike broad-based information security standards, such as ISO 27001, HITRUST is prescriptive and not open to interpretation. This design provides transparency on controls that are appropriate for the scope of a vendor’s operations.
Because HITRUST is an independent verification (and not a simple vendor attestation), hospitals can trust that security controls are in place. While like an independent security audit, HITRUST is much more rigorous than what a hospital would be willing or able to pay an outside auditor. HITRUST includes onsite walkthroughs as well as reviews of policies, procedures, and logs.
Instead of conducting a high-priced security audit on multiple vendors, hospitals can accept HITRUST certification. Since each vendor pays for the certification, hospitals get the benefit of knowing that patient data will remain secure without the cost. In addition, the hospital IT team gains valuable time for projects improving patient care and efficiency of operations.
Achieving HITRUST certification
The HITRUST certification experience at SOC started with leadership. Long before we achieved certification, we built a culture that validates our clients’ trust that we will protect their patient information. Because of that culture, we already followed secure practices and had policies and procedures in place. But we knew we needed independent security verification.
We assembled a cross-functional team representing all departments: IT Infrastructure & Application Development, Operations, Human Resources, Product Management, Project Management, Implementation, and Finance. It took many months to update and revise our existing policies, procedures, processes, documentation templates, and systems. We spent most of our time and effort ensuring that every one of our controls mapped to a corresponding HITRUST requirement.
A policy must have procedures to implement it, or it will not pass an auditor’s scrutiny. Various checks and balances, such as auditable paper trails, multi-factor authentications, and encryption measures, must be documented with clarity. They must also provide an understanding of how they impact every element of the organization. Security is a never-ending effort that extends to touch every role in the organization.
Altogether, SOC maintains hundreds of controls spread across every department. An external auditor evaluates the effectives of all those controls to validate that we attain HITRUST specifications.
Controls for telemedicine cybersecurity
The ownership of HITRUST controls is decentralized and dispersed among almost every role in our organization. There is no HITRUST department at SOC. The controls that allow us to achieve HITRUST certification are implemented at our help desk that validates identities while helping with password resets. They are implemented at human resources that onboards new employees. HITRUST controls determine how our operations team manages sensitive account information, how our infrastructure team secures workstations, and how our application development team develops and deploys new functionality.
So, whose job is HITRUST? Security is everyone’s job.
HITRUST enables our first (and most important) job
We talk about our HITRUST certification so that other organizations understand how seriously we take data security at SOC. However, what our customers buy from us is not security services but telemedicine solutions.
What results can our customers achieve with confidence that patient data remains secure? For starters, better healthcare at a lower cost. SOC clients note a 30% to 40% reduction in labor costs thanks to better matching of clinician supply and demand for care from patient sites.
Reduced costs are just the tip of the iceberg. Beyond savings, telemedicine can improve hospital metrics: reduced wait times in the ED, shortened boarding time, increased patient satisfaction, and lower transfer rates. Moreover, because telemedicine increases access to scarce specialists, hospitals can retain higher acuity patients.
Our technology, doctors, coordination center, and billing services work together to streamline telemedicine programs for hospitals and health systems. Information security controls are embedded in all these areas and processes. HITRUST certification is the recognition of our commitment to keeping patient information safe.
Are you writing an RFI or RFP? Contact us to understand how HITRUST certification helps you evaluate vendors for telemedicine cybersecurity.