Best practices for managing security risk: HITRUST certification

August 12, 2021

Maintaining data privacy and cybersecurity in healthcare is no easy task — limited resources, outdated hardware and software, changing regulatory requirements — all of these add to the risk that a health system’s digital infrastructure could be compromised. But one of the most vulnerable points in every health system’s security is its third-party technology vendors.

Healthcare organizations rely on their third-party vendors for technology solutions throughout the hospital, from HR to patient portals. Each software and each solution provide invaluable services that make healthcare better. But each, unfortunately, also poses a potential security risk. In fact, one report shows that 80% of healthcare CIOs and CISOs had experienced a breach originating with a third-party vendor in the past year. These data breaches leak sensitive data, compromising patient privacy and costing millions for hospitals to remediate.

Ensuring vendor security compliance isn’t easy — unless we understand and manage risk

The current recommendation to manage third-party risk is to perform vendor risk assessments, first when a solution is selected and implemented, and again on a recurring basis. But health systems work with hundreds or even thousands of third-party vendors. It simply isn’t realistic or cost-effective to thoroughly and consistently assess this many vendors. Security teams are spending countless hours requesting, verifying and chasing down information from vendors, with no way to even verify if the provided information is accurate. Without a standardized process or standardized security measures, it is difficult to be comprehensive, and nearly impossible to manage the vendor risk assessments in a timely and cost-effective manner. So, it’s no surprise that fewer than 30% of IT security leaders report that their vendors are annually assessed. Even for those who do regularly assess, regulations, requirements, and technologies all constantly change, creating a hamster wheel for health systems, so they never fully know if they have an active cybersecurity risk posed by a third-party vendor.

One way to lessen this burden is to require vendors to identify and mitigate risk and maintain compliance with healthcare industry standards. After all, they know their technology better than the health systems do, and they are the ones responsible for maintaining the security of their solutions. That’s what Olive thinks, anyway.

Olive knows that healthcare data security is a top priority for our customers, so it’s a top priority for us too

As a healthcare-first, healthcare-only company, we are fully entrenched in the security requirements and compliance regulations of our industry. Meeting our customers’ security needs isn’t a “check the box” exercise for us, it’s core to our company’s mission of reducing the administrative waste and burden of healthcare. We understand the importance of healthcare data security to our customers and their patients: It’s about protecting a health system’s bottom line, their reputation and their patients’ wellbeing.

That’s the benefit of working with a healthcare-only company, like Olive. As our only focus, we are constantly monitoring any changes in security needs or regulatory requirements, staying on top of the industry standards so we can provide peace of mind to all our customers. To that end, we have officially become HITRUST-certified, so we can easily and confidently let our customers know they do not have to worry about cybersecurity threats with Olive. The HITRUST Common Security Framework (CSE) is a comprehensive security framework that unifies multiple standards and regulatory requirements, including NIST, HIPAA/HITECH, ISO 27001, PCI DSS, FTC, COBIT and SOC 2. HITRUST stands for “Health Information Trust Alliance”, and its goal is to provide an integrated security approach and a way to demonstrate compliance in order for health systems and hospitals to better manage risk.

With our HITRUST certification, we can confidently continue on our journey of transforming healthcare operations, knowing that we are doing everything we can to preserve patient privacy while also helping healthcare companies take advantage of the benefits AI has to offer.

Healthcare first, healthcare only

We were built, from the beginning, with healthcare data needs in mind. In everything we do, we are ensuring that our customers and their patients are safe. And now we can take that mindset one step further with our HITRUST certification, the industry’s best framework for cybersecurity. From supply chain to revenue cycle, we’re helping healthcare organizations transform their operations with AI, while keeping their data safe and compliant.