The Health Information Trust Alliance (HITRUST) is a privately held organization that was created in partnership with healthcare, business, technology and information security leaders to protect consumers’ personal health and financial data. All sharing a belief that information security should be a core pillar of the broad adoption of health information systems and exchanges, the HITRUST Alliance developed a Common Security Framework (CSF) organizations can use to ensure they exceed the highest standards.
Put another way , the HITRUST Alliance looked at federal (HIPAA, HITECH), third party (PCI, COHIT) and government (NIST, FTC) data security standards and unified them into a comprehensive, actionable framework for protecting information both physically and on the web.
Since its establishment in March 2009, the CSF has been embraced as the primary security certification for companies seeking to minimize risk and protect consumer data.
In fact, it’s not just healthcare and financial corporates using the CSF. The HITRUST Alliance announced last summer that several of the US’s top healthcare companies including Anthem, Health Care SErvices Corp., Highmark, Humana, and UnitedHealth Group will now mandate that all their vendors obtain CSF Certification to demonstrate their commitment to security and privacy.
What does the HITRUST Certification process look like?
With the mandate mentioned above, many healthcare industry partners and vendors are getting certified for the first time. As leaders in website and app development in the healthcare and financial spaces, we’re well versed in data security standards and have been HITRUST certified for the last four years.
Though extensive, the process has proven invaluable in helping us:
- Develop strict physical and data security structures and protocols
- Minimize risk while working on digital projects that include access to personal health information (PHI) and personally identifiable information (PII)
- Maintain our clients’ peace of mind – we want our clients to be free to focus on what they do best – growing their businesses, not worrying about data breaches
“Working with vendors that are not focused on data security leaves companies extremely vulnerable and we seem to hear weekly about data security breaches at Fortune 500 companies. Your business simply cannot afford to work with vendors who aren’t focused on the security of information they’re entrusted with. Spyder Trap’s HITRUST CSF Certification wasn’t originally obtained because one of our client’s required it – we made the investment because of our desire to lead the way with data security.”
Spyder Trap Operations Manager
The certification process starts by hiring a third party to perform a risk assessment where they identify physical and digital risks your team works to mitigate by:
- Developing company-wide security standards like requiring all individuals to wear name badges, maintaining up-to-date visitors logs, and keeping server sites secured 24/7
- Ensuring industry best practices are being applied to all web code and that no shortcuts are being taken
“The audit and certification process is very lengthy and intense. It requires a team of dedicated resources from Spyder Trap and a few weeks to validate and meet all requirements for the certification. To ensure we’re thorough, Spyder Trap hires a 3rd party auditor to help assess our compliance measures and review all measures for certification.”
Next, after all problems are rectified, another third-party assessor visits the organization’s physical space to perform an official audit, which examines the 256 HITRUST security standards to ensure total compliance. At this time, they may request documentation like front desk logs, floor plans, org charts, etc. that proves the company has developed truly safe structures and protocols.
The assessor then submits the company to the HITRUST Alliance for certification and unless flaws are uncovered, the company can claim they are certified. Every year after that, representatives visit certified spaces to verify protocols are being maintained and security officers at each certified site must reapply for certification every two years.
Common Misconception: HITRUST CSF is only important for the healthcare and financial industries
Though it’s a top priority and in some cases, a requirement, for healthcare and financial companies to partner with HITRUST certified vendors, it’s also valuable for any organization that handles sensitive information. Whether you’re handling personal health information, contact details, financial data, or other intimate information, you can avoid risk and feel confident when partnering with companies that make data security a priority.
If you’re looking for a HITRUST certified partner to design and build a website or app, develop a content or marketing automation strategy, or manage your SEO/SEM efforts, we can help. Contact us and we’ll set up a call to see if we could be a good fit.