We’ve got big news! After a rigorous, multi-step process, WELL officially received HITRUST CSF Certification for our patient communication platform.
Just in case you’re not up on the latest in healthcare security, trust us, this is exciting. It means that the security and privacy of our platform meet comprehensive, meticulous standards.
Most of the information about HITRUST CSF Certification is a little confusing and technical, to say the least. So we’ve put together some material on why it’s important and what it means for the health systems that use WELL.
What is HITRUST?
HITRUST is a standards organization whose programs and services help safeguard sensitive information and manage information risk for global organizations across all industries. The organization’s evaluation criteria draw from prominent safety standards, frameworks, and guidelines, including HIPAA, PCI, and ISO.
How does HITRUST evaluate companies?
HITRUST evaluates companies using 19 domains, which are designed to address every facet of a business’s security operations. Those domains are:
- Information protection program
- Endpoint protection
- Portable media security
- Mobile device security
- Wireless security
- Configuration management
- Vulnerability management
- Transmission protection
- Network protection
- Password management
- Access control
- Audit logging and monitoring
- Education, training, and awareness
- Third-party assurance
- Incident management
- Business continuity and disaster recovery
- Risk management
- Physical and environmental security
- Data privacy and protection
Vendors who meet HITRUST standards — usually after multiple rounds of evaluation and correction —are issued CSF certification.
HITRUST vs HIPAA
The HITRUST CSF is a rigorous set of controls that covers, among other sources, all the requirements of HIPAA. At WELL, we’ve mapped our security controls to ensure we’re compliant with both HITRUST and HIPAA.
But it’s important to note that while many healthcare vendors claim HIPAA compliance, there’s no definitive third-party that verifies HIPAA compliance. Basically, you have to take a company’s word for it. In contrast, HITRUST CSF Certification standards are set by a governing alliance, and an unbiased expert conducts the audit of each company.
Why does it matter?
Health systems are vulnerable to two basic kinds of breach: external attacks and internal errors.
Ransomware attacks more frequently target healthcare than any other industry. Patient health information is considerably more valuable than a social security or credit card number on the black market.
But while hacking and malware are the most high-profile threats to health systems, accidental disclosures are a major problem as well. (The most frequent culprit varies from quarter to quarter, and year to year.)
An effective security system protects against both.
And while the number of breaches has actually declined in recent years, individual incidents are becoming more severe. The average number of people affected per breach more than doubled between 2017 and 2018, a Bitglass report found.
In short, there’s a lot at stake for health systems, who bear an enormous responsibility toward their patents. Our HITRUST CSF Certification helps us ensure that patient health information is kept safe from both external threats and internal errors.
How did WELL get HITRUST CSF Certified?
An authorized third-party, external assessor — in this case, the widely respected firm BDO — conducted a wide-ranging audit of WELL’s security operations and architecture. We then submitted the BDO report to HITRUST’s governing body so they could perform their own assessment.
Using two different layers of review by two different assessors is deliberate. It’s designed to ensure that no corner of a company’s security protection goes untested.
How long does HITRUST certification last?
HITRUST certification is valid for two years. About one year in, HITRUST will conduct an interim review, just to make sure we haven’t made any significant changes or experienced any breaches.
How does HITRUST help WELL clients?
Essentially, it means that clients can be completely confident in WELL’s handling of sensitive information, whether it’s being transferred or stored. As BDO’s National Health IT Leader, Deepak Chaudhry, put it: “WELL has made sure to consider the end-to-end data flow process, and they’ve conscientiously deployed all the necessary controls to best address safety, privacy, and potential risk.”
And in turn, WELL’s HITRUST CSF Certification means it’s easier for our clients to prove the safety of their own patient data during assessments or audits. This is precisely why vendor assessment programs are placing a higher emphasis on security requirements: It not only means greater assurance, but also cost and time savings for health systems during third-party reviews.
This was a comprehensive undertaking — exactly as it should have been — but we’re so glad we went through the process. We know what an extraordinary responsibility it is to be entrusted with sensitive data, and we want our customers to know we’re worthy of their faith in us. ♥
Never miss a story.
Get expert tips on communicating with your patients straight to your inbox, and improve your patient experience!
Talya Meyers is WELL’s former Health Editor. Talya began her career in academia before transitioning to writing full time. She has written for Smithsonian Magazine online, BBC Future, Refinery29, and the Los Angeles Times, among other venues. She is a graduate of U.C. Berkeley and Stanford University.