In the aftermath of the cyber-attack on Change Healthcare by the BlackCat ransomware group, a renewed interest has emerged in protecting operations and ensuring contingencies are in place. For impacted providers, the financial fallout from the attack is estimated at $500 million to $1 billion per day and climbing, driving home the fact that business continuity is everything in the aftermath of a cyber-attack.
Presently, many healthcare organizations remain in limbo after the attack, which exposed 6 terabytes of sensitive patient data, without access to important services such as claim processing for prescriptions, and daily workflows around auditing and reporting. While Change is working to fully restore the more than 100 applications across pharmacy, medical record, clinical, dental, patient engagement, and payment services it was forced to disconnect, recovery will be a long, slow, painful process for all.
The scale of the attack and breadth of its impact exposed the reality that cybersecurity is something that everyone recognizes, but few understand. It has also driven home the important roles staying current on the latest security advisories, rapidly identifying and patching vulnerabilities, and proactively working to protect against whatever may be on the horizon play in a successful cybersecurity program.
Another important aspect of cybersecurity for providers and payors is ensuring any vendor that touches their data has the appropriate security measures in place to protect that data and ensure continuity should a breach occur.
A Vendor Data Security Checklist
Credentials are among the first items to be verified in a vendor’s portfolio, including the data security certifications they hold. There are many valuable security certifications for SaaS (service as a software) companies depending on services and customer base. However, according to Astra, some of the most commonly suggested are:
HITRUST CSF – a gold standard in data security for organizations dealing with protected health information (PHI), the HITRUST Framework is a comprehensive, scalable, reliable, and efficient framework for risk management and regulatory compliance. Its core structure is based on ISO/IEC 27001 (see below) and 27002 and incorporates more than 40 other security and privacy-related regulations, standards, and frameworks providing comprehensive and prescriptive coverage.
SOC 2 (Service Organization Control Type 2) – a well-known and regarded certification for cloud service providers and any organization that stores customer data in the cloud, SOC 2 is a voluntary compliance standard developed by the American Institute of CPAs. It is based on the five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. Certification is issued by outside auditors based on their assessment of how well a vendor complies with those principles when managing customer data.
ISO 27001 – the world’s best-known standard for information security management systems (ISMS), ISO 27001 defines requirements an ISMS must meet and provides guidance for establishing, implementing, maintaining, and continually improving an information security management system. Conformity with ISO 27001 demonstrates that the vendor has in place a system to manage risks related to the security of data owned or handled by the company and that this system respects all the best practices and principles enshrined in the standard.
PCI-DSS (Payment Card Industry Data Security Standard) – for any organization that stores payment card information, PCI DSS is a widely accepted set of policies and procedures intended to optimize the security of credit, debit, and cash card transactions and protect cardholders against misuse of their personal information. Created by five major credit card companies (Visa, Mastercard, Discover, JCB, and American Express) with guidelines developed by the PCI Security Standards Council, PCI DSS was designed to prevent cybersecurity breaches of sensitive data and reduce the risk of fraud for organizations that handle payment card information.
HIPAA compliance for SaaS – for healthcare organizations that conduct electronic transactions – financial or administrative – HIPAA compliance for SaaS ensures software developers and service providers adhere to the administrative, technical, and physical safeguards of the HIPAA Security Rule. It also ensures they include capabilities that can be configured to support end-user HIPAA compliance.
Additionally, healthcare SaaS vendors should offer the following infrastructures and features within their platform or solutions:
Secure Cloud Infrastructure – used to process, store, and transmit PHI.
Secure Data Storage – protection for stored PHI in the form of data encryption, secured databases, and reliable backup procedures.
Multi-Factor Authentication – protects against unwanted user access, helping to prevent security breaches that can harm employees, patients, and the organization.
Single Sign-On (SSO) – a best-in-class identity and access management solution that ensures a platform can be trusted when managing user access and authentication.
Continuous Risk Assessment – a proactive approach to assessing and fixing evolving threats against a platform and any third-party relationships.
Ensuring Business Continuity
A business continuity plan (BCP) consists of the critical information an organization needs to continue operating during an unplanned event. It states the essential functions of the business, identifies which systems and processes must be sustained, and details how to maintain them.
A credible vendor should assist with detailing how to sustain and maintain productivity and security when faced with the threat of a cyber-attack – even if the solutions are not part of the client’s normal day-to-day workflow.
As a trusted partner and thought leader, a vendor should be capable of and willing to be a source of support to help a company grow and, in challenging times, to help sustain operational continuity. They should be able to react quickly to support shifting workflows when challenges arise and provide opportunities to keep the stability of your program intact. They should do this by providing and supporting creative and innovative solutions, so you and your organization can continue operations seamlessly.
The Change Healthcare attack, while devastating, also created novel opportunities for healthcare provider and payor organizations to explore creative solutions with their vendors while sustaining programs. It is an opportune time for healthcare organizations to strengthen and renew relationships with those partners who are in any way involved with sensitive data to build confidence in and protect their future operations.
About Lizz Fuller
Lizz Fuller is the Director of Implementation and Training with MDaudit, a leading healthcare technology provider that partners with the nation’s premier healthcare systems to reduce compliance risk, improve efficiency, retain revenue, and enhance communication between cross-functional teams. With over a decade of experience in healthcare IT, Fuller is a seasoned professional specializing in auditing and compliance implementation. With expertise in leading teams and ensuring successful project execution. Prior to MDaudit, she held various roles at athenahealth, where she contributed significantly to small group onboarding projects and quality assurance initiatives.