Part I: Why Healthcare Needs Privacy, Security and Compliance
Let’s face it. Healthcare is a highly complex, highly-regulated industry that is rapidly evolving, in part due to emerging and cloud technologies. There has never been a time with more promise and potential to improve the quality and quantity of people’s lives with advances in healthcare. But as we innovate with emerging technologies and gather big data insights, we must remain mindful of the important role compliance plays in healthcare.
A friend of mine used to have a sign over his desk that read: DWYSYAGTDWYSYAGTDI. The first time I saw it, I stopped and tried to decode it to no avail. Puzzled, I finally bit on that hook and said, “Hi, what’s up with this sign over your desk?” He smiled and said, “Do what you said you are going to do when you said you are going to do it. It’s a great promise to keep with your coworkers.” He’s right, and it’s also a great promise healthcare and life sciences can keep for the patients they serve. Compliance frameworks serve the purpose of making sure promises are kept in healthcare. By their nature, they force us to do what we say we are going to do – protect patient privacy.
Compliance Supports Innovation
While compliance and adherence to regulatory frameworks may seem like a daunting task that impedes innovation, it actually works to support innovation, and is an investment of your time and resources that will pay back dividends. I can think of so many companies and providers proving this out. One has created a robust digital interface that brings an entire oncology care team together virtually from distributed locations to analyze real time personalized data in order to bring a cancer patient life-saving treatment. Another example is an insurer working diligently to bring you mobile apps that support your health and help you understand your benefits. Being innovative wasn’t enough, they had to do so while protecting patient privacy and meeting HIPAA requirements.
Privacy by Design Leads to Compliance
But as with so many things in life, a good idea is not enough. Timing is everything. I’ve found over the years of doing this work that it’s not enough to think about compliance, it’s when you think about it that becomes critical to your success. Building or deploying services without considering compliance from the beginning will open your business up to risk and costly fixes. My philosophy is one in which we approach privacy and security first as part of the design. Compliance is a result of well-architected solutions that meet widely accepted privacy and security standards. Compliance is much easier if you approach it in this way. And the payoff is, everything you build on top of compliance is better, more secure, and more scalable.
I spend most weekdays in meetings with CISOs, privacy officers, and lawyers at healthcare organizations across the spectrum of provider, payer, life sciences, and healthcare IT. I‘ve noticed a pattern of questions arise when we dive into conversations about compliance.
Healthcare’s Legal and Moral Obligation
So first of all, why do we care about compliance? Because lives depend on it. Healthcare providers have a legal and moral obligation to protect the health, safety, and welfare of those they are serving. And the payers, life sciences and SaaS companies that work with providers also have the legal obligation to protect the sensitive data they are handling. While compliance frameworks may vary, they give us the assurance that what each covered entity or business associate is doing is within boundaries that respect and protect patient privacy and health. When we properly store and transmit patient information, everyone stands to benefit. When organizations get sloppy handling PHI, they open themselves to risk and the result is often a cyberattack and medical identity theft.
The Cost of Medical Identity Theft
In the Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, the Ponemon Institute found that many healthcare organizations and their business associates were negligent in handling in the handling of patient information. The results, according to the study is an estimated cost of $6.2 billion to the healthcare industry, at about $2.2 million per data breach. More than half of the organizations in the study were unsure or unaware of how patients or customers were affected by the crimes. The study went on to say, “Approximately two-thirds of all respondents don’t offer any protection services for breach victims, nor do the majority have a process in place for correcting errors in victims’ medical records.”
Imagine opening up your mail and seeing a bill for $60,000 for a surgery you never had because someone committed fraud with your medical identity. Resolving this can takes years; and if it happens to you, prepare to pay dearly. In fact, according to this article from Experian, the average out-of-pocket cost to a patient after medical identity theft is more than $18,000 – often spent paying off fraudulent medical bills. Additionally, many victims report losing their jobs because of the hours and hours it takes to resolve. Some even suffer public embarrassment over disclosure of sensitive healthcare information, and in some cases, find themselves charged with illegally procuring prescription drugs when it was actually the cybercriminals who committed the crime. Additionally, victims can miss out on getting the quality medical care they need because of losing access to their coverage, or inability to access their own records. From credit scores to bank accounts, loss of care or inaccurate diagnosis due to altered records, countless lives are damaged by medical identity theft.
You may have seen the recent news announcement[i] that American Medical Collection Agency, (a healthcare collection agency for Quest Diagnostics, LabCorp, and other laboratories), experienced a breach that appears to have compromised as many as 20 million patient records. Within seven days of the breach, more than a dozen class action lawsuits were filed by individuals alleging they have been injured by the breach. Meanwhile, the Department of Health and Human Services Office for Civil Rights (OCR) simultaneously began its investigation to assess how diligently the company has complied with the Health Insurance Portability and Accountability Act (HIPAA) that requires patient health information be protected. Their findings will determine how steep the fines are. It’s early, but some of the lessons that can be learned from this incident demonstrate the importance of vendor security risk management, especially as it relates to personally identifiable information (PII) and protected health information (PHI).
Working with compliance at the center point of your organization and your cloud environment will help you align processes and controls to avoid this kind of scenario.
Which leads us to the somewhat obvious: how much easier it is to ensure you have a compliant environment before a security incident, rather than trying to create one after a breach when you’ll be busy succumbing to tedious audits, mountains of paperwork, and reputational and financial damages. Compliance helps you identify problems and find solutions before a government agency does. This extends well beyond the OCR, as there are multiple certifying bodies and agencies looking to protect patient data. Not long ago, a healthcare organization experienced a breach resulting in a 100K fine from the OCR, but this was just the beginning. After the OCR, the attorneys general fined them another 900K for the incident. Part of the settlement statement included risk remediation, and in this case ClearDATA was called in to perform a Security Risk Assessment to discover potential gaps in security and compliance. We completed our full assessment and provided them a risk remediation roadmap.
The reality is, healthcare is a primary target of hackers who are continuously improving their methods to find holes into your controls that safeguard protected health information (PHI). At the same time, regulatory agencies are working to impose larger and larger fines on those who fall out of compliance and expose or compromise PHI. Take Anthem’s recent settlement for a record-breaking $16 million for multiple compliance violations. The good news is—and some people neglect to recognize this—the OCR first looks at what you were trying to do to stay in compliance before it decides the weight of the fines. If you can show risk assessments, roadmaps, and monitoring compliance, your fines will be far less, if you are even fined at all.
Part II: The Importance of the C-I-A Triad
So as a business leader, what are you to do? Adopt the CIA Triad. The CIA model is designed to guide policies for information security and compliance within an organization. It stands for Confidentiality, Integrity, and Availability. (Sometimes you will hear CIA triad referred to as the AIC triad to prevent confusion with the CIA, as in the Central Intelligence Agency. The principles remain the same.) As a business leader, you’ll want to make sure your team understands the importance of each leg of the CIA Triad. Here’s what you’ll want them to know:
Confidentiality is all about privacy and preventing identity theft. This pillar of compliance works to prevent sensitive data from falling into the wrong hands, while it also works to ensure the right data can be reached by those who need and should be reaching it. You want your doctor to have the full picture of your health when she is diagnosing you or creating a treatment plan. But access to the data needs to be restricted to only those authorized to view it. Encryption is used frequently to meet this end, but you must know how to manage the encryption keys and other aspects of identity access management, or encryption isn’t going to solve the problem. As a healthcare-exclusive cloud expert, ClearDATA knows how to build your environment so you are not only complying with regulations and frameworks when you deploy, but you can also remain that way for the lifetime of your application. There are many considerations. Data needs to be categorized according to the amount and type of damage that could be done should it fall into unintended hands. Once you have categories defined, more or less stringent measures can be implemented according to the degree of danger/potential for harm. Understanding complex compliance frameworks and regulations like HIPAA is critical to be able to ensure your environment is where it should be. ClearDATA customers have the advantage of a user-friendly Compliance Dashboard that provides 24/7 visualizations into their technical compliance posture. Equally important, we have mapped interpretations of each regulation as they related to specific cloud technologies into the dashboard.
The second pillar or leg of the CIA Triad is Integrity of the data. This assures patients that they are getting accurate treatment. It ensures that abuse such as identity theft where, for example, someone is illegally buying drugs or having unauthorized surgeries in your name and sending you the bill, is not happening. And it works to prevent rampant healthcare fraud, which is driving up costs for everyone. In a compliant environment, dozens of controls are in place to ensure data integrity. One example you may hear mentioned is the Snowball effect. When data is moved from a data center to the cloud platform of your choice, there should be validation or check points all along the way. You don’t want to start with 5 terabytes and then end up with 4.3 terabytes in the new environment. Check sums or, more specifically, cryptographic check sums can provide verification each step of the way. A cryptographic checksum is “a mathematical value that is assigned to a file and used to test the file at a later date to verify that the data contained in the file has not been maliciously changed.”[ii] The Integrity pillar assures we maintain the consistency, accuracy, and trustworthiness of the data life cycle. Other methods to provide integrity include version control to prevent erroneous changes or accidental deletion by authorized users. And, you’ll always want to have some means in place or controls to detect changes to the data that might occur as a result of a non-human caused event such as a server crash. You’ll need to have back-ups, redundancies, and disaster recovery plans available to restore any affected data to its original state.
An advantage of the Automated Safeguards we provide to our customers is they are constantly monitoring and interrogating your cloud environment to alert you (and us if you drift out of compliance. As a result, the appropriate people are notified and the appropriate measures are taken to immediately remediate and return your organization to compliance.
Pillar number three assures that patients can get accurate diagnosis and treatment by ensuring the data needed to get the right treatment and diagnosis are available. It won’t matter that your personal health data is confidential and correct if the people who need to access it, can’t. Availability is also relevant on a broader scale when we think about use cases like the Center for Disease Control using massive data sets and predictions to predict and plan for health issues, flu vaccines, and preventing outbreaks. All of this depends on availability of credible data with integrity. You can build availability by maintaining and repairing hardware, making timely software updates or patches, and making sure there are no bugs. When you do upgrades, you need to have a plan to make sure you don’t lose data. I’ve known people who were backing up data and then back-up failed. They didn’t have failover in place, so they lost the data. That can be devastating to the healthcare organization, but even more so to the patient. You need to think in advance about how to mitigate serious consequences by ensuring redundancy, high availability clusters, and having a disaster recovery plan. In the event of data loss, what have you done to ensure you have a backup copy? ClearDATA provides expertise on how to build this in a secure, HIPAA-compliant, redundant environment in the cloud.
Part III: Compliance by Healthcare Sectors
If you’ve been in healthcare for any amount of time, you know how complicated compliance frameworks can be. For those who don’t deal with them every single day like I do, it can be hard to interpret the regulations and standards and map them to your compliance concerns. Because my team and I do this as our full-time job, we bring a lot of deep knowledge to the table on these complex frameworks.
If you are new to healthcare, it can be confusing to even know which frameworks apply to your organization. What follows is an overview of which compliance or regulatory frameworks are mandated based on which healthcare sector your organization fits in: Payer, Life Sciences, Healthcare IT or Provider. If you are in healthcare and have any access to patient data, you know something about HIPAA. HIPAA is a federal law passed in 1996 (updated in 2009 with the HITECH Act) that protects the privacy and security of health data and is enforced by the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS). GxP stands for Good “x’ Practices, with x typically being manufacturing practices in the life sciences. It is a collection of quality guidelines and regulations created to ensure that bio/pharmaceutical products are safe, meet their intended use, and adhere to quality processes during manufacturing, control, storage, and distribution. And, GDPR is the recent General Data Protection Regulation is intended to protect the privacy of EU citizens.
You’ll see HITRUST in the charts below, as well. I’d like to take a moment to highlight the importance of HITRUST, especially as you decide to bring in third-party expertise to ensure your compliance and security on the cloud. Payers, providers and consultants helped create HITRUST because there were challenges in the industry with validating the compliance of a vendor and/or evaluating their capabilities under numerous frameworks. Many found the language in HIPAA to be vague with its measure for “reasonable accommodations.” Additionally, HIPAA was written before many of today’s technologies were in place. So, these groups came together to adopt a Common Security Framework that allows for standardization of more than 35 regulations and standards into one framework. This was created to ease, perfect, and speed their due diligence process. Becoming HITRUST CSF certified is a difficult and arduous process. Because of this, HITRUST is viewed as the gold standard in healthcare. You can learn more about HIPAA, GxP, GDPR, HITRUST and other frameworks on the ClearDATA website. Let’s look at what is mandated for each healthcare sector.
Important note: The charts that follow are focused only on US federal laws and national standards, and that state laws are additive to these. This is not an exhaustive list and the reader should consult his/her legal counsel for legal advice.
|WHAT||MANDATED||WHY USEFUL||ClearDATA EXPERTISE|
|CMS (Center for Medicare and Medicaid Services)||YES||CMS contracts have mandates for compliance if Medicare/Medicaid reimbursements occur.||ClearDATA supports customers with CMS requirements where stated in contract.|
|HITRUST||No||Payers do not have to be HITRUST certified but increasingly want vendors /partners who are.||ClearDATA has the highest level of HITRUST certification: CSF 9.1 level 3|
|YES||If Payers interact with patient data outside normal payment activities, they will need to comply with HIPAA.||ClearDATA has HIPAA Risk Assessments validating compliance. HIPAA maps directly into our HITRUST certification. (Note there is no such thing as a HIPAA certification)|
|NIST Cybersecurity Framework||No||While not mandated, some Payers choose this standard because it is prescriptive and specific.||No NIST certification, but HITRUST has certified that ClearDATA complies with NIST standards.|
|WHAT||MANDATED||WHY USEFUL||ClearDATA EXPERTISE|
|CMS||YES||CMS contracts have mandates for compliance if Medicare/Medicaid reimbursements occur.||ClearDATA supports customers with CMS requirements where stated in contract.|
|HITRUST||No||Providers do not have to be HITRUST certified but increasingly want vendors /partners who are.||ClearDATA has the highest level of HITRUST certification: CSF 9.1 level 3.|
|HIPAA||YES||Providers interact with patient data and therefore must comply with HIPAA.||ClearDATA has HIPAA Risk Assessments validating compliance. HIPAA maps directly into our HITRUST certification. (Note there is no such thing as a HIPAA certification).|
|NIST Cybersecurity Framework||No||While not mandated, some payers choose this standard because of it is prescriptive and specific.||No NIST certification but HITRUST has certified that ClearDATA complies with NIST standards.|
|SSAE 19 (SOC 2)||No||This is a report on controls that is used to affirm the practices of vendors that touch PHI or PII.||ClearDATA has the full SOC2, Type II report.|
|WHAT||MANDATED||WHY USEFUL||ClearDATA EXPERTISE|
|FDA/GxP||YES||If a pharma company is manufacturing a medical device. These devices are regulated by FDA in the US, and sometimes international organizations follow FDA as well.||Though not fully compliant because we have not seen enough demand, we are complying with many parts of these regulations to assists our customers.|
|HITRUST||No||Life science organizations understand that although they do not have to be HITRUST certified, partnering with someone who is can make them more marketable, accelerate sales, and reduce diligence demands.||CD is HITRUST CSF 9.1, level 3 certified. This is CD’s third full certification.
|HIPAA||YES||If a life sciences organization interacts with patient data outside of normal research activities, they will likely need to be HIPAA compliant.||HIPAA does not provide a certification. ClearDATA has HIPAA Risk Assessments validating compliance. HIPAA maps directly into our HITRUST certification.|
|GDPR||YES||Life Sciences usually market to EU, so there are strict requirements for compliance.||GDPR requirements are rolled into our HITRUST certification.|
In addition to your credentials and the credentials of ClearDATA, it is vitally important you check the credentials of any vendors, contractors, or third parties you use. At ClearDATA, for example, we will not use any vendors that are not HIPAA compliant. We comply with the HIPAA Security Rule, the Privacy Rule, and the Breach Notification Rule.
Part IV: How ClearDATA’s Certifications and Compliance Expertise Help Our Customers
You’ve probably already realized that it can be extremely difficult to understand and comply with all of these regulations while still trying to focus on your business objectives. That’s where ClearDATA comes in. We are the healthcare cloud privacy, security and compliance expert. We focus 100 percent of our energy on this, which frees you up to put your resources into hitting your business goals and objectives, while having the peace of mind of the Compliance Dashboard and Automated Safeguards protecting and informing you. As a result, you can focus on innovation and growing your business. Our expertise helps accelerate your innovation in the cloud and reduces friction as well as your spend on activities that don’t add value to your business strategy. If you are pursuing HITRUST certification yourself, we can speed your time to completion and certification through the HITRUST inheritance program.
You may also find that your affiliation with us and our HITRUST-certified assurances may increase credibility with your customers, which helps grow your business. Many of our customers look to us for numerous benefits of our expertise, such as helping them complete lengthy security and compliance questionnaires from their potential customers. And, hiring can be a challenge in the healthcare IT world. With ClearDATA as a partner, you get the force multiplier of our team as you engage the expertise of our certified cloud solution architects, compliance experts, and engineers. And the great news is, it’s all under one roof wrapped up in one of the industry’s most comprehensive Business Associate Agreements. In the end, it translates to a stronger, safer business model and increases your peace of mind.
How ClearDATA Helps the CISO
While we work with many members of your team, I am often asked how we interact with an organization’s Chief Information and Security Officer. Our team works directly with your CISO. It’s been my experience that most organizations I talk to have an experienced and diligent CISO, many of whom understand the Defense in Depth strategy well. But what I sometimes see is less experience with specific cloud platforms in understanding how the rules and controls change when you migrate from a data center to the cloud. We’ve got you covered and will demonstrate how Defense in Depth works in the cloud. There’s a lot more than this involved; but as a few examples, we’ll talk about how we encrypt data, build hardened images and OS, then build identity and access management protocols and controls to restrict access. We can show you how to defend your castle in the cloud and assure you that our DevOps automation has Automated Safeguards to remediate if you drift out of compliance. The Compliance Dashboard gives you a 24/7 view of your compliance posture and can also display trends over time, individual assets, groups of assets, and PHI inventories, all helpful as an audit trail if ever needed.
We strive to be your most important strategic partner. We work with hundreds of leaders across healthcare every day to improve healthcare outcomes.
You can learn more about our Compliance Dashboard here. Reach out to us for a demo or consultation.
[i] Date Breach Today. June 10, 2019. https://www.databreachtoday.com/multiple-class-action-lawsuits-filed-in-amca-breach-a-12599?rf=2019-06-11_ENEWS_SUB_DBT__Slot6_ART12599&mkt_tok=eyJpIjoiTUdJNE56Sm1PV1l6WXpFMSIsInQiOiJuZ3lSSyt3SlwvQVMrNllrOFpCYzIyVTV2QXl0akh1TGpSeUJKQXI1cHExcUQzc0dSVHNPZFNHTjRDRzJId3hVaGxXcTRRK3hodWE1VGVDTzF3ZFhiMXhOSVE0QzJYSnpcL3BNbTlCWEJqY1BzTWxZMEFzWjNHNkR5ZU92bXl4RWxmIn0%3D
[ii] Tech Target. September 2005. https://searchsecurity.techtarget.com/definition/cryptographic-checksum