A Common Security Framework could help healthcare organizations do more with less

The biggest of those attacks came against a healthcare payer organization which had over 100 million of its healthcare records exposed to a hostile government entity. The average cost of a typical data breach is about $155 for every lost or stolen record.

For healthcare organizations, however, the cost are even higher. The average cost per "PHI" (personal health information) record stolen rises to over $360 per record, according to a 2015 Ponemon Institute study. The concerns of hacks and data breaches weigh heavily on healthcare executives and officials, and complicate what are already hectic activities within the healthcare world. The perils of hacking and malware cause healthcare organizations, companies, and employees to be stretched to the breaking point.

To keep sanity within healthcare organizations, the saying, "Audit once, use many," is becoming a more common refrain. For each day that passes, departments are being asked to do more with less—less people, less time, and less resources—in order to simply survive. But let me ask you: how is doing more with less going to work? By ignoring the actualities that we have to deal with—llimited hours in a day, physical limitations, and mental limitations—it is scary what we are asking of our companies, our departments, and our own employees. It is a real disservice to make cutbacks with such regularity. We need to stop this madness. But how can we do this and still protect the PHI records we handle?

Third-Party Assessments

HITRUST imageOne such tool that healthcare organizations can use is from the Health Information Trust Alliance or "HITRUST." The Health Information Trust Alliance's Common Security Framework (HITRUST CSF) provides an avenue for a third-party assessment to verify the controls in place to meet all of the CSF Certification requirements. HITRUST CSF is quickly becoming the standard for information security controls within the healthcare sector. The HITRUST Common Security Framework, developed in collaboration with healthcare and information security experts, is the only certifiable, information security framework that provides an actionable roadmap tailored to the unique needs of each individual company within the healthcare industry. Through the HITRUST CSF certification, healthcare organizations have the ability to reduce audit costs, as it can easily be mapped to other compliance frameworks in order to help organizations audit once and report many times over.

Among the CSF Framework, the PHI data that healthcare organizations are required to protect is closer to being secured and protected. The framework is designed to specifically address compliance to such regulations as HIPAA Privacy, Security, HITECH, CMS, PCI, and NIST. By implementing this framework and becoming HITRUST certified, healthcare organizations can save significant costs, time, and resources. And through this certification, a company can demonstrate that they have addressed multiple requirements under federal and state regulations—basically following the saying: "Audit once, use many."


Cathlynn Nigh is the CEO of BEYOND LLC. As a HITRUST CSF assessor organization, BEYOND LLC works to provide certification and remediation services as required.