HITRUSTfor HIEs

Webinar Recap
HITRUST for HIEs: Four Reasons Healthcare Information Exchanges Should Adopt & Certify

This recap will highlight salient points from the presentation, as well as questions from the Q&A portion.

If you missed the webinar, or have specific questions for our presenters, please contact Pamela Hayduk and she can arrange time with our subject matter experts.

Our client, Terri Lynn Palmer from Delaware Health Information Network (DHIN) helped us highlight the reasons healthcare information exchanges should adopt the HITRUST Common Security Framework (CSF) and become certified (if not already required to do so).

Bringing over 20 years of compliance experience in the payer and provider sides of healthcare, she gave her perspective as an HIE that recently achieved certification, as well as from the time when she was skeptical about embarking on the HITRUST journey.

Beyond a payer requirement, Terri Lynn shared how HITRUST benefitted her organization:

  • DHIN matured their information security program much faster.
  • The CSF provided a robust structure that addressed all areas of info security.
  • The framework gave them continuity and tied fragmented areas in their program together.
  • The rigor of CSF allowed them to focus on translating requirements in to action tailored to DHIN.

Next, BluePrint’s Vice President and CISO, Mark Ferrari, covered the top four reasons why HITRUST is specifically valuable for HIEs.

Reason #1: Access Control

As one of the deepest domains included in HITRUST CSF, access control is arguably the most important to HIEs. From our experience, it makes up about 20 percent of a HITRUST engagement for our customers and is one of two domains that have the most requirements.

  • To pass this domain, organizations must have well developed and demonstrable access management processes.
  • HIEs not only have to demonstrate strict access control within their organization, but also must govern access among HIE users.

Reason #2: Transmission Security

HIEs are structured to send and receive important data via real-time HL7, ADT feeds, flat files or other formats. Partner organizations use that information to aggregate, analyze and build reports among others.

Governance of transmission security is a separate domain with its own focus and deep specificity. This domain ensures that data is not shared in any unsecured means.

  • HITRUST provides specific transmission security measures unlike other frameworks that give high-level requirements.
  • HITRUST dictates a minimum standard for encryption.

Reason #3: Third Party Management

HIEs must conduct thorough due diligence when initially vetting potential data vendors and members, as well as creating business agreements. However, many times, that’s where third party oversight ends.

HITRUST requires regular, strict governance and evidence-based security review of third parties.

Here, you want to ensure that you have policies, procedures and actions that clearly outline who has access, when they have access and around what data, as well as steps to take if activities fall outside these parameters.

Reason #4: Building Trust among Data Contributors & Participants

The bottom line is, without the ongoing confidence of data contributors, the HIE model is unsustainable.

Demonstrating adherence to the strict HITRUST framework is a differentiator for HIEs, mainly, because HITRUST is more rigorous than singular models like ISO, NIST, HIPAA Security Rule, alone.

They keys to your success as an HIE pursuing HITRUST certification include:

  1. Adopting the CSF framework and demonstrating compliance. Action that is connected to solid policies and procedures is paramount.
  2. Proving that you are in fact doing what you say you are doing. Think about evidence as you proceed through the “HITRUST journey.” What evidence do you have that shows that you act on and live out your written procedures?
  3. Implementing a strong information security program. To certify under HITRUST, organizations must pass every domain individually. Doing this requires you to address the 19 domains of HITRUST (shown below) within your program.

CSF Domains

Stay tuned for our next blog where we’ll share the questions raised during the HITRUST for HIE webinar and highlights from our three-phase approach to HITRUST certification.

HITRUST Lifecycle

Want to learn more about the essentials to HITRUST certification success? Sign up for our next HITRUST Certification Essentials webinar.