The case for HITRUST certification

Healthcare organizations are attractive targets for criminals who steal, ransom and disclose protected health information (PHI). In fact, according to the HIPAA Journal, there were 75 data breaches of 500 or more records in May 2023 alone, resulting in over 19 million records being exposed or impermissibly disclosed.

Given this unfortunate situation, healthcare organizations must remain vigilant and continually deploy robust cybersecurity measures to protect sensitive patient information. Among the reasons for breaches are the following:

  • Valuable data: Healthcare organizations possess a wealth of valuable data, including individuals’ personal health records, insurance information and financial data.
  • Inadequate security measures: Many provider organizations have inadequate security measures due to limited budgets, complex systems, and diverse internal users.
  • Outdated technology: Many hospitals and medical practices utilize outdated technology and legacy systems that may have vulnerabilities and lack regular security updates and patches.
  • Insider threats: Due to many employees and third-party vendors with access to PHI, healthcare organizations are exposed to insider threats, posing a significant risk to data security.
  • Interconnected systems: Hospitals and health systems often have complex networks of interconnected systems and multiple entry points for data access, increasing their attack surface and potential vulnerabilities.

HITRUST: a structured framework

A HITRUST certification provides a structured framework that enables organizations to address their information security, compliance, risk management, and vendor management requirements. Healthcare organizations should consider attaining a HITRUST certification for these important reasons:

  • Enhanced data security: A HITRUST certification helps organizations implement robust information security controls for the protected and sensitive data they receive, process and store, thereby reducing the risk of a data breach.
  • Regulatory compliance: The HITRUST framework can incorporate HIPAA requirements, allowing organizations to demonstrate compliance through easily generated reports to satisfy audits and inquiries by regulators.
  • Patient safety concerns: Studies have shown increased patient mortality rates following ransomware attacks. In addition, tampering with medical records or disclosing sensitive clinical information can result in potential medical errors or patient harm.
  • Industry recognition and trust: HITRUST certification is widely recognized and respected within the healthcare industry. In addition, certification can be a competitive advantage that results in increased market share.
  • Comprehensive risk management: The journey to a HITRUST certification requires organizations to conduct thorough risk assessments and implement effective risk management strategies and controls. Systematically addressing risks can reduce the likelihood of security incidents and minimize a breach's potential impact.
  • Vendor management: Provider organizations can require their third parties to obtain a HITRUST certification, effectively assessing the risks associated with their business partners and vendors and ensuring that appropriate security safeguards exist.
  • Business continuity and resilience: To obtain a HITRUST certification, organizations must demonstrate evidence of comprehensive business continuity and incident response plans.

Additionally, a HITRUST certification can be a cost-effective way to mitigate the potential impacts of a data breach. Here's how:

  • Reduced likelihood of a data breach: To achieve a HITRUST certification, organizations must implement comprehensive security controls. Organizations can significantly reduce the possibility of a data breach by proactively addressing vulnerabilities and monitoring threats.
  • Reduced financial losses: Data breaches typically result in substantial economic losses, which include costs related to breach notification, forensic investigations, legal fees, regulatory fines, potential lawsuits and reputational damage. By implementing the controls and measures required by HITRUST, organizations can reduce the likelihood and magnitude of these financial impacts.
  • Enhanced incident response and recovery: HITRUST-required incident response and recovery plans enable organizations to respond to security incidents quickly and effectively, reducing the overall impact on business operations and expenses associated with the recovery effort. Prompt detection, containment and remediation of a breach can save significant time, resources and money.
  • Streamlined compliance efforts: The HITRUST framework can consolidate healthcare organizations' various compliance requirements into a single assessment, resulting in time, effort and resource savings.
  • Higher customer retention: A data breach can erode trust among patients, business partners and stakeholders, resulting in patient attrition and damaging business relationships and the organization's reputation. A HITRUST certification demonstrates a solid commitment to data security and privacy, which ultimately can aid in retaining patients, maintaining strong partnerships, and attracting new customers and opportunities.
  • Lower insurance premiums: Some insurance providers offer reduced premiums or better coverage options for organizations that have obtained a HITRUST certification.

Why some organizations are reluctant to seek certification

While a HITRUST certification offers numerous benefits, some organizations may hesitate to begin the journey for several reasons:

  • Cost: Smaller organizations with limited budgets may see the up-front and ongoing costs associated with certification as a barrier and consider their cyber insurance policy sufficient protection. However, some insurance carriers have refused to pay when organizations are found to be non-compliant with specific policy provisions.
  • Resource constraints: Certification requires dedicated resources with appropriate time and expertise. A lack of appropriately skilled resources usually indicates an immature and/or deficient cyber posture.
  • Organizational priorities: Organizations may have various competing priorities and may choose to allocate limited resources to focus on other strategic initiatives. Priorities should be assigned using a risk-based approach and align with the organization’s risk tolerance.
  • Insufficient benefits over “HIPAA compliant”: Providers may already think they’re “HIPAA compliant” and sufficiently protected against cyberattacks, obviating the need to pursue more comprehensive and rigorous assessments like HITRUST. “HIPAA compliance” can be subjective and rarely provides adequate cyber protections.

Although there are valid reasons healthcare organizations may choose not to pursue a HITRUST certification, they should carefully consider the long-term cost savings, regulatory compliance reporting efficiencies, and strategic and competitive advantages before deciding not to do so.

Contact Mazars to learn more about pursuing a HITRUST certification for your healthcare organization. 

The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.

Learn more