Cyberattacks in the healthcare industry show no signs of abating. In 2018, digital criminals breached 15 million healthcare records. Alarmingly, in the first half of 2019 alone, 32 million healthcare records were compromised as a result of multiple security incidents. Among those was the American Medical Collection Agency (AMCA) breach, an event which affected 24 million patient records when an unauthorized user accessed systems that contained sensitive information. The breach ultimately led AMCA to file for bankruptcy, and it affected over 20 AMCA customers like Quest and LabCorp.
Despite the growth in cyberattacks in the healthcare industry, healthcare organizations continue to underinvest in cybersecurity. Compared to other industries like the financial industry, which invests 15% of revenue on cybersecurity initiatives, the healthcare industry invests only 4-7% of revenue.
Healthcare organizations under-invest in cybersecurity, even though the industry incurs the highest per capita cost of a breach. According to the IBM 2019 Cost of a Data Breach Report, the average cost per breached record in healthcare is $429. Although the financial industry has the second-highest average cost per breached record at $210 per breached record, healthcare incurs more than double the cost than finance.
To mitigate breaches to confidential patient information, HIPAA was instituted to ensure the confidentiality, integrity and availability of protected health information, so it came with attendant fines for non-compliance. To improve their cybersecurity posture and avoid fines, many healthcare organizations have taken steps to ensure that they comply with HIPAA and that they pass the HIPAA audits.
Recognizing the need to improve their security posture, many mature healthcare organizations have adopted industry-standard frameworks like NIST and CIS. Also, many healthcare organizations recognize their need to achieve compliance with other regulatory standards like PCI and SOX. Yet the spate of breaches in healthcare demonstrates that achieving compliance does not guarantee a secure environment, especially when healthcare organizations focus on passing audits at a point in time.
While healthcare organizations marshal resources to ensure they pass audits, the organization returns to business as usual, leading to a less secure posture over time. As a result, mere compliance with security standards has had a limited impact on the security posture of healthcare organizations.
Achieving and maintaining compliance with these various, complex, ever-changing standards and regulations can be burdensome for healthcare organizations. This challenge is only exacerbated by the technical skills gap. Organizations, especially healthcare organizations, continue to be challenged with hiring, retaining and training cybersecurity professionals. Recent statistics show that there will be 3.5 million unfilled cybersecurity positions globally by 2021.
The HITRUST Common Security Framework (CSF) was introduced to ameliorate the challenges healthcare organizations face in trying to achieve compliance with the various, complex and evolving standards and frameworks. HITRUST CSF incorporates existing standards and regulatory policies like HIPAA, PCI, NIST, ISO into an overarching comprehensive framework that remains sufficiently prescriptive in how control requirements can be scaled and tailored for healthcare organizations of varying types and sizes.
However, attempting to attest to the HITRUST CSF using manual methods negates the benefits of the HITRUST CSF, as this greatly increases the chances of error. In addition to the extra time and effort that is required to track compliance manually, which is only compounded around audit time, information that is manually collated into a report is hard for an auditor to verify.
As a result, Tripwire partnered with HITRUST to help healthcare organizations automate HITRUST CSF compliance. Tripwire is one of only two cybersecurity providers to have partnered with HITRUST for the automated reinforcement of CSF compliance. Tripwire has the industry’s largest platform and policy coverage, including legacy systems. It has a proven track record of helping organizations achieve and maintain compliance with HIPAA, PCI and SOX as well as adhere to security frameworks like NIST and CIS.
Now, Tripwire can help organizations automatically achieve and maintain compliance with HITRUST CSF as well as prove compliance with out-of-box, HITRUST-certified reports. This helps them:
- Quickly achieve and maintain compliance, including audit-ready proof of compliance
- Accurately align with the HITRUST CSF with Tripwire’s HITRUST-certified mapping
- Keep up with new HITRUST CSF versions while strengthening your cybersecurity posture
Please join us for a special healthcare cybersecurity webcast on Tuesday, February 11th, 2020. In the webcast, you’ll learn about how Tripwire’s automated HITRUST CSF compliance can help your organization meets its compliance needs. We hope you can join us!