Many health care, life sciences, and health information technology companies face challenges in conducting meaningful security risk assessments, because existing security laws fail to describe how to conduct risk assessments. Additionally, it is difficult to know what mitigation tactics should be taken to address any identified risks.
To better assist those clients—as well as our business partners (e.g., Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates) that use protected health information—in overcoming those challenges, Epstein Becker Green has become the only law firm designated by the Health Information Trust (HITRUST) Alliance as a Common Security Framework (CSF) Assessor Organization. As a HITRUST Assessor, Epstein Becker Green is able to leverage the HITRUST methodology to conduct robust security risk assessments and help clients achieve HITRUST CSF certification, which can be used as evidence of compliance with both HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).
Further, because Epstein Becker Green is a law firm, all HITRUST CSF certification efforts are conducted under the attorney-client privilege, which allows clients to keep key risk points and compliance flaws from being exposed as they work toward certification. Using this capability, Epstein Becker Green is exceptionally well positioned to provide counseling to clients on how to conduct effective risk assessments of administrative, physical, and technical safeguards around protected health information; mitigate risks; and develop documentation of a defensible security program.
HITRUST, in collaboration with health care, technology, and information security leaders, developed the CSF to provide a unified and prescriptive structure to guide the risk management of health information. The CSF is built upon existing standards and regulatory requirements, including 130 specific industry-accepted security controls developed from International Organization for Standardization (ISO), Payment Card Industry (PCI), Control Objectives for Information and Related Technology (COBIT), HIPAA, HITECH, and National Institute of Standards and Technology (NIST) standards. The CSF methodology provides a highly flexible framework by offering a standardized way of scaling and tailoring safeguards based on an organization’s specific risk factors.
Companies that leverage HITRUST CSF certification can increase trust and transparency among business partners and consumers by incorporating best practices, building confidence, and streamlining interactions across the industry. HITRUST CSF certification also reduces the likelihood of a data breach, due to requiring robust security safeguards. This risk reduction is significant because health care entities have reported a record number of security breaches in recent years.Undoubtedly, the most cost-effective response to a security breach is to prevent one from occurring in the first place. Therefore, health care companies should focus on ways to improve their security posture through employing HITRUST’s robust risk management framework.