How to achieve HITRUST compliance

It’s no secret that healthcare organizations contain endless sensitive and critical assets. Patient files and electronic medical records (EMR) are not only important, but some of the most highly valued assets on the black market. In fact, healthcare related breaches increased by 55.1% in 2020. This means hackers have their eyes turned toward these organizations and their cybersecurity systems. HIPAA compliance provides assurance that EMR will be protected, but achieving HIPAA compliance can be complex, time-consuming, and expensive. Enter HITRUST, which creates guidelines to not only achieve compliance but make sure a healthcare organization’s cybersecurity system is ready for the threats it will face.

What is HITRUST?

The HITRUST Common Security Framework (CSF) Control Category 01.e outlines user access rights that must be regularly reviewed by management via a formal documented process. Because this and the other Control Categories must be met for a healthcare organization to receive HITRUST certification, it’s beneficial for healthcare organizations to regularly check their systems for any compliance gaps or possible improvements. There are a few essential components and pillars necessary to ensure an organization’s internal system access rights are HITRUST compliant. By better understanding and implementing the four pillars of HITRUST compliance -- access control, audit controls, data integrity, and set processes -- a healthcare organization of any size can maintain compliance while keeping EMR safe and secure.

1. Access control

Access control is exactly that, the control of who has access to what. For HITRUST compliance, this means an organization has strict management of rights and privileges to sensitive, critical assets and has implemented user, group, and role-based controls (for both internal users and third parties). In addition, these access controls include review and provisioning or de-provisioning after any changes have been made to a user’s role or duties (such as promotion or termination), and there is a formal authorization process in place to control all allocation of privileges.

2. Audit controls

To implement strong access controls, a healthcare organization must also conduct audits and reviews of those controls to make sure no access rights are mismanaged. This means looking at: who has access to what, conducting high-definition session recordings, implementing a system that logs user activity, and have a formalized documented and implemented user registration and de-registration procedure before granting or revoking access. An organization being able to show they have these controls, including recording for high risk events (like third-party access) can be powerful for auditors.

3. Data integrity

HITRUST compliance is about more than just meeting guidelines, it’s about protecting critical, sensitive data such as private patient records. Data integrity includes having strict control of third-party remote access to limit data corruption, conducting audits to identify data changes and enable corrections, creating automated processes to manage network accounts as well as account creation, modification, disabling, and removing, and automatic provisioning or de-provisioning of users based on activity and role.

4. Processes

It’s one thing for an organization to say they have access controls, audit controls, and data integrity in place, but it’s another thing to act on that. The process requirements ensure exactly that. The requirements are: customer configurable encryption, review of critical systems every 60 days, review of special privileges every 60 days, review of all account types every 90 days, and review of all user access rights every 90 days.

Why these pillars matter beyond compliance

Maintaining HITRUST compliance not only helps an organization achieve and prove continual HIPAA compliance (which can be complex and time consuming), but helps a healthcare organization achieve stronger, more mature cybersecurity practices. Keeping critical assets safe from third-party breaches, outsider hackers, or even internal threats, is crucial for a functioning organization. Not only can a breach be costly, resulting in lost revenue, reputation damage, regulatory fines, and more, but there are urgent real-world consequences.  Recent examples include:

  • Eskenazi Healthcare in Indianapolis had to turn ambulances away while security teams resolved a ransomware attack.
  • Memorial Health System, which owns 64 hospitals in its network, had to cancel surgeries and radiology treatments in its West Virginia and Ohio locations due to ransomware that shut off IT access to healthcare systems.
  • Sanford Health in Sioux Falls, South Dakota diverted ambulances to other hospitals while teams recovered the systems hit by a ransomware hack.

Just in 2021, 38 cyber attacks have caused disruption of services to 963 healthcare locations.  The impact ransomware has on healthcare institutions could not only cost hospitals money and resources, but also human lives.

Software can assist on the path toward compliance

Making sure an organization is HITRUST compliant, and in turn achieving HIPAA compliance and protecting critical access and assets, can come down to the right software. Utilizing an EMR access auditing solution ensures nothing is missed across audits of EMR, and any suspicious activity is investigated and taken care of. This helps compliance officers save time and focus on what really matters: the protection of patient information. Learn more about EMR access auditing solutions and download SecureLink’s HITRUST compliance checklist.