In addition to thousands of customers across a variety of different verticals, Hostway is the trusted hosting provider for some of the largest and most prominent healthcare organizations in the world, including Paragon 28, Adium Pharma, and Carespring Healthcare Management. And now, we’ve earned the HITRUST Common Security Framework (CSF) certification, making us one of few vendors to deliver the full compliance certification suite.
Our HITRUST certification demonstrates that Hostway follows a rigorous and standardized method of securing protected health information, and proves our incorporation of a CSF that provides a more consistent, comprehensive, and industry-defined process to meet a wide range of regulatory and compliance-related requirements.
Further, this designation gives all of our customers—regardless of industry—peace of mind in knowing that their data is being protected to the highest standards. Hostway’s HITRUST certification extends to our entire infrastructure, data centers, backup applications, multitenant solutions, dedicated servers, storage, and networking.
How We Earned Our HITRUST Certification
To determine whether or not organizations can become HITRUST certified, 19 categories are evaluated, each with 131–500+ different control requirements that are dependent on size, complexity, and regulatory factors. Furthermore, there are five levels of maturity upon which each control requirement is assessed:
To earn this certification, an organization must meet all of the minimum requirements and achieve a passing score for each of the control domains.
Leading up to our certification, Hostway already had a high standard for compliance, but we took several additional steps to meet the HITRUST guidelines, such as:
- Increasing security around passwords: All passwords are checked against a database of half a billion passwords that have been compromised in previous breaches, ensuring that all passwords are unique and more difficult to crack
- Implementing new policies: To better secure our internal systems and customer environments, we strengthened certain policies across the organization, including a stronger data disposal process and better overall asset management
The Importance of HITRUST for Companies Moving to the Cloud
Before the HITRUST certification was established, HIPAA laws were the go-to framework for properly handling electronic medical data; however, HIPAA was created over 20 years ago, and there has never been a governing body that polices compliance to proactively secure against breaches. Organizations can claim compliancy through self-assessment, but with the HITRUST certification, companies are verified as compliant by a neutral third party.
The HITRUST certification bolsters HIPAA regulations, but also brings additional clarity and guidance for the security controls an enterprise puts in place to ensure better protection of their data and systems. Since many healthcare organizations utilize a number of third-party vendors, it can sometimes be hard to control and consolidate these security compliance efforts.
Take the case of MedEvolve, for instance. Just a few weeks ago, the practice management software vendor left its FTP server open to the public without authenticating users. As a result, the data of 205,000 patients from two different healthcare vendors were exposed.1
Because patient data has such a high value on the black market, it’s important to have an established set of guidelines that the industry can follow to ensure protection of that data. Along with a certification framework, a HITRUST Threat Catalogue has been developed to help focus efforts in:
- Identifying and leveraging existing taxonomy for threats to ePHI
- Enumerating all reasonably anticipated threats to ePHI
- Mapping HITRUST CSF control requirements to enumerated threats
- Identifying any additional information for future iterations of the HITRUST Threat Catalogue to help meet its objectives
As threats to the healthcare IT industry evolve, it’s clear that there’s a need for a robust and standardized way to separate compliant organizations from those that are questionable or non-compliant. Recently, a survey by HIMSS Analytics revealed that 78% of healthcare providers experienced a ransomware or malware attack in 2017.2
Healthcare organizations that work with HITRUST-certified vendors can expect an increased value in the relationship—there is less risk of a breach; therefore, there is less risk of incurring the costs associated with a breach. With the cost of data breaches currently estimated at $380 per record,3 the cost savings is significant.
Healthcare organizations aren’t the only company types that should pay attention to the HITRUST certification. Due to the rigorous auditing process vendors must go through to attain this designation, the HITRUST certification means better protection and processes across the board—something all businesses can benefit from.
Becoming the Industry Standard
HITRUST best practices were lauded in the healthcare industry when they were first introduced in 2007 and are still the golden standard today, especially considering the risks involved in migrating healthcare organizations into the cloud. In 2016, for instance, the healthcare industry was one of the most breached verticals, second only to the financial industry.4
The concept of comprehensive risk management structure is one that has eluded the healthcare industry for a long time. But organizations today are seeing the benefits of implementing HITRUST CSF. For example, PDHI, a SaaS company, recently achieved HITRUST certification. Lee Penn, the company’s CFO and Chief Compliance Officer, has noted that the certification didn’t just improve security and compliancy—it also marked a welcome change in the PDHI culture, giving their clients peace of mind and making their relationships stronger overall.5
Does your infrastructure hold up to compliancy best practices? Find out by contacting one of our Security Experts and requesting a free risk assessment.
- Healthcare IT News, 2018.
- HIMSS Analytics, 2017.
- Ponemon Institute, 2017.
- Verizon, 2017.
- Datica, 2016.