Cyberattacks in the healthcare industry show no signs of abating. In 2018, 15 million healthcare records were breached. Alarmingly, in the first half of 2019 alone, 32 million healthcare records were compromised as a result of multiple incidents, including the American Medical Collection Agency (AMCA) breach.
At AMCA, 24 million patient records were affected when an unauthorized user accessed systems that contained sensitive information like SSN, provider names and medical information. The breach ultimately led to AMCA filing for bankruptcy, and it affected over 20 AMCA customers like Quest and LabCorp.
Despite the growth in cyberattacks in the healthcare industry, healthcare organizations continue to underinvest in cybersecurity. Compared to other industries like the financial industry, which invests 15% of revenue on cybersecurity initiatives, the healthcare industry invests only 4% – 7% of revenue.
Healthcare organizations under-invest in cybersecurity even though the industry incurs the highest per capita cost of a breach. According to the IBM 2019 Cost of a Data Breach Report, the average cost per breached record in healthcare is $429. Although the financial industry has the second-highest average cost per breached record at $210 per breached record, healthcare incurs more than double the cost than finance.
To mitigate breaches to confidential patient information, HIPAA was instituted to ensure the confidentiality, integrity and availability of protected health information, so it came with attendant fines for non-compliance. To improve their cybersecurity posture and avoid fines, many healthcare organizations have taken steps to ensure they comply with HIPAA and can pass the HIPAA audits.
Recognizing the need to improve their security posture, many mature healthcare organizations have adopted industry-standard frameworks like NIST and CIS. Also, many healthcare organizations recognize their need to achieve compliance with other regulatory standards like PCI and SOX. Yet the spate of breaches in healthcare demonstrates that achieving compliance does not guarantee a secure environment, especially when healthcare organizations focus on passing audits at a point in time.
While healthcare organizations marshal resources to ensure they pass audits, the organization returns to business as usual, leading to a less secure posture over time. As a result, mere compliance with security standards has had a limited impact on the security posture of healthcare organizations.
Achieving and maintaining compliance with these various, complex, ever-changing standards and regulations can be burdensome for healthcare organizations. This challenge is only exacerbated by the technical skills gap. Organizations, especially healthcare organizations, continue to be challenged with hiring, retaining and training cybersecurity professionals. Recent statistics show that there will be 3.5 million unfilled cybersecurity positions globally by 2021.
The HITRUST Common Security Framework (CSF) was introduced to ameliorate the challenges healthcare organizations face in trying to achieve compliance with the various, complex and evolving standards and frameworks. HITRUST CSF incorporates existing standards and regulatory policies like HIPAA, PCI, NIST, ISO into an overarching comprehensive framework that remains sufficiently prescriptive in how control requirements can be scaled and tailored for healthcare organizations of varying types and sizes.
However, attempting to attest to the HITRUST CSF using manual methods negates the benefits of the HITRUST CSF, as this greatly increases the chances of error. In addition to the extra time and effort that is required to track compliance manually, which is only compounded around audit time, information that is manually collated into a report is hard for an auditor to verify.
As a result, Tripwire partnered with HITRUST to help healthcare organizations automate HITRUST CSF compliance. Tripwire is one of only two cybersecurity providers to have partnered with HITRUST for the automated reinforcement of CSF compliance. Tripwire has the industry’s largest platform and policy coverage, including legacy systems, with a proven track record of helping organizations achieve and maintain compliance with HIPAA, PCI and SOX as well as adhere to security frameworks like NIST and CIS.
Now, Tripwire can help organizations automatically achieve and maintain compliance with HITRUST CSF as well as prove compliance with out-of-box, HITRUST-certified reports. This helps them:
- Quickly achieve and maintain compliance, including audit-ready proof of compliance
- Accurately align with the HITRUST CSF with Tripwire’s HITRUST-certified mapping
- Keep up with new HITRUST CSF versions while strengthening your cybersecurity posture
Download your copy of the solution brief to learn how Tripwire® Enterprise can help healthcare organizations automate HITRUST compliance with advanced HITRUST-certified reporting, broad platform support and remediation guidance.