Recent breach data clearly indicates that third party business partners pose significant risk of data loss to a healthcare organization, often requiring public notification and subsequent reporting to the Department of Health and Human Services and other regulatory agencies. According to HITRUST’s analysis of U.S. healthcare data breaches, business associates accounted for 58 percent of the records breached, and they were implicated in 21 percent of the breaches.
Additionally, business associates and suppliers struggle with the need to address a multitude of assessment processes utilized by the many healthcare organizations they service, which introduces significant complexities and inefficiencies that can impact the effectiveness of a security program. These redundant assessment processes also increase costs for covered entities, their business associates and the healthcare system as a whole.
Recognizing the significance of the role played by their business associates when it comes to the protection of health information, healthcare organizations, including CVS Caremark, Health Care Services Corp., Highmark, Humana, United Health Group and WellPoint, are announcing their commitment to leverage the CSF Assurance Program in their business associate information compliance programs and require the submission of the CSF assessment reports as part of those programs.
Many healthcare organizations currently accept the CSF assessment reports, but have not required them. These organizations will now phase in the requirement for the CSF assessment and communicate the new reporting obligations to their business partners.
“We accept the CSF assessment reports from our business partners as well as maintain the capability to support our own approach to conducting third party risk assessments,” said Roy Mellinger, vice president and chief information security officer, WellPoint. “Unfortunately, we’ve found that managing and coordinating two separate approaches adds costs and inefficiencies for us and our partners. What we need is a single integrated approach—such as provided by a CSF assessment, which we can achieve with the right leadership to help coordinate and advance adoption across the healthcare industry, covered entities and business associates alike.”
A business associate or partner can receive hundreds of unique requests a year for some form of information protection assessment or attestation of their security controls, which requires considerable resources in trained personnel and operational dollars. Additionally, the entity requesting the assessment or attestation is burdened with ensuring that the reports are consistent, accurate and timely.
“While there is work to be done to transition existing assessment processes, approaches and agreements to a more uniform model, the benefits to the entire industry in the way of greater information protection compliance, reduced assessment costs and increased efficiencies substantially outweigh the effort required,” said Jon Moore, chief information security officer, Humana.
“As a business associate for many healthcare organizations, we receive numerous requests for information security assessment-related information, much of which consists of varying detail and reporting formats, and it takes up a significant amount of time to respond effectively,” said Kurt Hagerman, director of information security, FireHost. “The CSF Assurance Program, on the other hand, provides the context and uniformity needed to communicate the same information, assurance level and remediation guidance with one assessment and meet all of our customers’ needs.”
The complexities, risks and costs associated with the current processes used by covered entities and their business associates have been widely known for some time; however, no coordinated effort has existed to address these challenges and to adopt, in a meaningful manner, a unified approach to third party assurance.
The CSF and the CSF Assurance Program offer the an implementation and management framework for healthcare information protection by providing a standardized way of scaling and tailoring safeguards based on an organization’s specific risk factors.
Organizations also have the ability to implement alternate approaches to address specific threats and vulnerabilities, and employ a standardized methodology for assessment and reporting that is easily understood by both the requesting organization and the business partner being assessed.