In an effort to stabilize the health insurance market and provide additional ways for consumers to access coverage, the Center for Consumer Information and Insurance Oversight (CCIIO) and the Centers for Medicare and Medicaid (CMS), have launched a new streamlined and simplified enhanced direct enrollment (EDE) process. “Operational Readiness Review for Enhanced Direct Enrollment Pathway”
Businesses continue to innovate and adopt new technologies with the goal of making operational processes more efficient. Recently, the newest technology trend, blockchain, has gained much attention from companies, technology innovators, and regulators. Although the technology itself is not new, it’s adoption into the commercial world is. “Security Considerations for Using Blockchain Technology in Healthcare”
SECURETexas was created per Texas House Bill 300 in 2011 to help covered entities in Texas demonstrate that they have met privacy and security standards to reduce regulatory penalties, mitigate risk, and increase business partner and consumer confidence in the protection of protected health information (PHI). “SECURETexas Certification – Is It Right for Your Organization?”
As the data breach landscape in the healthcare industry evolves, so do organizations and their compliance with regulatory requirements. Doing ‘nothing’ to protect healthcare data is no longer an acceptable approach for small healthcare entities. “HITRUST CSFBASICs: A New Framework Designed for Smaller Healthcare Organizations”
The HITRUST Alliance has appointed Steve Simmons, Director of Compliance at A-LIGN, and Blaise Wabo, Senior Manager at A-LIGN, to the HITRUST CSF Assessor Council. “HITRUST Appoints Steve Simmons and Blaise Wabo to the HITRUST CSF Assessor Council”
The healthcare environment is extremely dynamic, forcing organizations to find the right solution to match the rising challenges. Many of these solutions introduce new and emerging technologies, leaving healthcare organizations with increased vulnerabilities. Healthcare organizations of every size and type can be breached, so exploring every security solution is critical. In 2016, major cyber-attacks on healthcare increased by 63%, resulting in 93 major cyber-attacks including:
- Banner Health – 3.6 million records
- Newkirk Products – 3.4 million records
- 21st Century Oncology – 2.2 million records
As we move closer to year-end, many organizations begin strategic planning for 2018. Security and privacy statistics within healthcare underline new trends including emerging threats and evolving regulations. Considering these potential industry challenges, which are anticipated to grow in size and severity, A-LIGN has released Future of Healthcare: The Transforming Healthcare Industry.
This whitepaper can be used as a guide to educate your organization and its employees to begin appropriately preparing for 2018 security and compliance initiatives by providing valuable insights, regarding the industry, regulations, and the security measures your organization can enact to prevent and protect against a potential cyber-attack. A-LIGN’s experienced assessors have more than 20 years of experience in the data protection and security industry, and intimately understand the environment from both the client and assessor perspective.
“As we monitor and analyze the current healthcare landscape, it’s apparent that many organizations are becoming vulnerable to new and emerging risks. Therefore, we seek to empower our clients through education and security audits, to prevent them from becoming a victim of a cyberattack and enhancing their information security,” said Steve Simmons, HITRUST Assessor Council Board Member and Director of Compliance at A-LIGN.
The Future of Healthcare: The Transforming Healthcare Industry whitepaper provides your organization:
- An overview of the security and privacy landscape within healthcare including trends, statistics, and potential risks
- A review of the evolving healthcare regulations, specifically HITRUST, it’s recent revisions and the 2017 roadmap
- A description of compliance and audit solutions configured for both the healthcare industry and HITRUST regulation
To tackle information security challenges, organizations must begin to take the first step to protecting their data. Click here to download A-LIGN’s whitepaper, Future of Healthcare: The Transforming Healthcare Industry.
The Death Master File (DMF) is a protected file that includes information regarding the deceased such as:
- Date of Birth
- Date of Death
- Social Security Number
Since November 28, 2016, organizations have faced a stricter certification process to be granted access to the DMF. In that time, A-LIGN has served as an Accredited Conformity Assessment Body (ACAB) that has submitted written attestation to validate that the appropriate controls are in place to maintain the confidentiality and security of DMF information. Senior Manager, Sue Wells, took the time to discuss the challenges that organizations face when seeking DMF certification and how A-LIGN can help.
Death Master File FAQ
What lessons have we learned from our DMF successes, as assessors, that we can utilize to help future clients that require DMF access?
Some of our DMF clients have never had any type of audit before, so there is a learning curve for those organizations to understand the process, such as document requests. For organizations that have never been certified before, they need to understand the steps to achieve certification:
- A-LIGN conducts testing against the approved standard.
- Once testing is complete, organizations must go to the National Technical Information Service (NTIS) website to pay the required fees. Organizations pay $1,575 annually for certification to NTIS, and an additional $525 every 3 years when 3rd party certification must be completed again. These fees are separate from those paid to the ACAB for attestation, as they are paid directly to NTIS. Once fees are paid, the organization will be provided a processing number.
- From there, organizations must obtain the attestation form from the NTIS website and provide A-LIGN with the processing number to complete the attestation.
- A-LIGN files the attestation documentation.
What information do companies seeking DMF certification need to know regarding their vendors and how they may impact their ability to be certified?
If significant technical safeguards used to protect the DMF are provided by a third-party, they may have to obtain information directly from that third party to provide to A-LIGN, as the DMF attestation form does not provide for the ability to carve-out other organizations. In this event, the technical safeguards would need to be verified.
What standards can organizations certify against?
Since 2015, A-LIGN has successfully helped several organizations achieve certification by certifying against standards such as SOC 2, PCI DSS, and NIST 800-53.
Helping You Achieve DMF Certification
NTIS can conduct both scheduled and unscheduled compliance audits, and organizations that fail to comply with the set provisions may be subject to fines of up to $250,000 per year. As an ACAB, A-LIGN can attest to your organization’s ability to protect DMF information. We have extensive experience in testing the required controls and can guide your organization through the certification process with ease.
Have questions about accessing the DMF? Contact us at firstname.lastname@example.org or call 1-888-702-5446 to have an experienced assessor answer your questions regarding DMF certification.
A-LIGN, a global information security and cyber risk advisory, and compliance solutions provider, is committed to staying current on emerging regulations and changes in security frameworks. On September 19, A-LIGN Managing Consultant and HITRUST CCSFP, Blaise Wabo, will host a HITRUST webinar called Using HITRUST CSF v9 to Meet Your Compliance Requirements, to educate healthcare organizations on the changes announced in HITRUST CSF v9. You can register for the webinar here.
Blaise Wabo will lead this webinar by addressing the healthcare risk environment, citing the emerging trends and technologies that make standards like HITRUST necessary, review the incorporation with guidance such as the FFIEC Information Security Examination Handbook, and observe how HITRUST can be used to support regulatory need.
“As technology in the healthcare industry evolves and hackers become more sophisticated, it’s important that organizations and their business associates adapt their security programs to efficiently manage regulatory compliance and risk management. The updates to HITRUST CSF v9 helps maintain relevance by addressing new and emerging risks faced by the healthcare industry,” said Blaise Wabo.
A-LIGN has published numerous resources to assist organizations navigate the compliance lanscape, including a whitepaper called How HITRUST Mitigates the Challenges Facing Healthcare, illustrating how HITRUST can be implemented to minimize risk and alleviate pain points found in healthcare organizations.
“Our goal is to help simplify security solutions, such as HITRUST to help healthcare organizations achieve their compliance initiatives. By monitoring industry trends and providing educational resources, we can empower organizations and help them protect against the evolving information security risks within healthcare,” said Director of Compliance, Steve Simmons.
Statistics show an exponential growth in data breaches within the healthcare industry with projected continuous growth throughout 2018. To tackle information security challenges, organizations must begin to take the first step to protecting their data.
Are you looking for more information on HITRUST CSF and ways to build a security program at your healthcare organization? Contact the security professionals at A-LIGN at info@a-lign or 888-702-5446 to find out how we can help.
Register for the webinar here: http://bit.ly/2x1YOm1
A-LIGN’s HITRUST Assessors are often asked: What is HITRUST and why do I need it? As healthcare organizations face stricter regulatory needs in light of an increase in healthcare-related breaches, many organizations are considering HITRUST as an option for risk management and mitigation.
What is HITRUST?
HITRUST, or the Health Information Trust Alliance, was created in order to develop a consistent system for healthcare organizations and business associates to manage information security. The scalable framework is valuable to any organization that creates, accesses, stores or exchanges personal health information or financial information.
HITRUST uses many existing standards and regulations as a framework, such as HIPAA, HITECH, PCI DSS, COBIT, NIST, ISO and more. By utilizing a variety of standards, the HITRUST Common Security Framework (CSF) offers extensive certification options for organizations. These include a variety of different implementation requirements that depend on the risks that your organization faces, as well as prescriptive requirements that ensure clarity. Controls can be modified based on organization size and type, system and regulatory requirements.
Who requests that I become HITRUST certified?
Organizations are typically asked by their partners and/or business associates to provide a CSF Assurance report. For example, large healthcare organizations such as Anthem Inc., Health Care Services Corp., and Highmark Inc., are requiring that their business associates take steps to become HITRUST CSF compliant.
Why do I have to do it?
Many organizations require that their business associates and partners utilize HITRUST as a consistent information security system. As a result, becoming HITRUST compliant allows your organization a point of differentiation amongst competition.
Additionally, becoming HITRUST compliance allows your organization to minimize the risk of a potential breach, which can be damaging to client relationships and the reputation of your organization. Click here to learn more about our HITRUST services.