Boehm & Associates is proud to announce our HITRUST Common Security Framework (CSF) certification, which we believe will attest to the security of our current and future clients’ protected health information. Boehm & Associates made the decision to adopt the HITRUST CSF because we are committed to optimizing the relationship between business, technology, and security to enable the highest quality of service to our clients. Our press release can be viewed here.
Advancements in technology have had far-reaching effects within the healthcare industry. Digitizing patient data increases both its usefulness and the efficiency of the workforce responsible for managing and maintaining it. However, the related IT infrastructure as well as the human-machine interface introduce information systems and an expanding vendor base to the list of risk vectors requiring security consideration. In recent years, the healthcare industry has seen an increase in phishing schemes and ransomware incidents in addition to a number of hefty breaches involving laptops, mobile devices, and removable media. While federal and state legislation have responded to the adoption of new technology by establishing mandated security requirements to be implemented by covered entities under HIPAA and their business associates, there is no related HIPAA certification at this time to satisfy organizations’ trust and assurance models.
We understand that objectivity is an important component to the reliability of information about an organization’s security posture; HITRUST’s assessment methodology includes comprehensive onsite auditing of systems, policies, and procedures conducted by an independent security organization before the HITRUST Alliance issues a certification decision. The auditor analyzes each control based on a maturity model that provides insight into whether a control is only enforced at a policy level or if the organization has supporting procedures, proof of implementation, a system for measuring compliance/performance, and strategies for managing the overall level of control effectiveness in the long-term.
With respect to HIPAA compliance, HITRUST establishes security controls specifically oriented to the healthcare industry’s needs and updates the framework annually to keep current with emerging technology and associated risks. At the time of this writing, the 14 control categories can be found in the Introduction to the HITRUST CSF and are as follows:
- Information Security Management Program
- Access Control
- Human Resources Security
- Risk Management
- Security Policy
- Organization of Information Security
- Asset Management
- Physical and Environmental Security
- Communications and Operations Management
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Privacy Practices
Given that the CSF is based on a variety of legislative and regulatory requirements as well as the baselines of other security frameworks (identified in Comparing the CSF/, ISO/IEC 27001 and NIST 800-53), it unarguably meets and exceeds the federal standards for protected health information security.
Security assurance is now particularly important when committing to business relationships involving information exchange and system interconnection. We look forward to cultivating those relationships in light of this certification and exploring new opportunities to ensure that our clients are availing themselves of all that we have to offer.