In response to increasing regulatory and customer pressure to protect patient data, business associates are outsourcing their HIPAA compliance and cybersecurity programs to third-party healthcare privacy and security firms. This managed service approach results in a high-quality, efficient, and continuous HIPAA compliance and cybersecurity program that impresses prospective customers and allows the business associate to focus on its strategic growth initiatives.
A Strong HIPAA Privacy and Security Program Creates a Competitive Advantage
Healthcare’s demand for new technology, cost reduction, and patient centric care, has led to thousands of technology and services companies expanding into the healthcare industry. This trend has created a surge in third parties who are handling an increasing amount of electronic protected health information (ePHI). These companies are business associates under HIPAA, and must comply with HIPAA regulations along with their customers’ ever-growing cybersecurity requirements.
Third-party breaches of ePHI were responsible for 60% of individual records exposed through a breach in 2019,1 and as a result, healthcare providers and payors have become increasingly concerned about third-party risk. HIPAA compliance is critical, but it’s only a base line for a strong cybersecurity program. For any organization that wants to do business with health systems or other larger providers, a best-in-class, cybersecurity and cyber risk management program is table stakes. A seat at the table may be granted or denied based on the company’s response to the customer’s inevitable security questionnaire. There is no tolerance for cutting corners, or claiming ignorance. Healthcare customers expect their vendors to have robust HIPAA compliance and cybersecurity programs in place.
Clearwater’s recent white paper entitled 10 Ways Business Associates Can Turn Their HIPAA Compliance and Cybersecurity Program into a Competitive Advantage reviewed key elements of a robust HIPAA compliance and cybersecurity program. The white paper discusses how creating and executing a strong program differentiates a company from other vendors, as it shows potential customers that if they work with you, there are reduced risks compared to your competitors.
Once a business associate recognizes that it must raise the bar, and invest in a comprehensive HIPAA compliance and cybersecurity program, it must then decide whether to build and maintain the program on its own, or partner with a trusted service provider. As discussed in the remainder of this post, there is a strong case for outsourcing this program as a managed service to a healthcare privacy and security expert.
The Case for Outsourcing a HIPAA Privacy & Security Program
Developing Internal Expertise is Difficult
Often, even the largest companies that are new to healthcare do not have the expertise required to create a HIPAA compliance and cybersecurity program that demonstrates to customers they can protect patient data better than others. There are many specific compliance requirements and nuances that are unique to the healthcare industry and must be implemented and followed in specific ways. While not impossible, using internal resources to build, mature, and execute a high-quality HIPAA compliance and cybersecurity program is easier said than done.
Business associates that have attempted to create and manage their own programs using internal resources often find that this approach can be extraordinarily difficult, time consuming, and expensive. For some organizations, the person leading the program may have several other responsibilities, and he/she might not have domain expertise or be able to provide the attention that this program requires. And even when an organization can do it internally, it likely does not make sense to do so when this function can be outsourced to a service provider that specializes in HIPAA compliance and healthcare cybersecurity and has the resources and focus to stay current with regulatory changes and the rapidly evolving threat landscape.
Healthcare Privacy & Security Talent is Scarce
Healthcare organizations often struggle to find and retain security leaders who have the skillset to manage the complex privacy, security and compliance demands that exist in the healthcare environment. Creating and managing security programs that are acceptable in a healthcare company with ePHI requires many years of experience working in a healthcare setting. This is not an easy job, nor is it easy to find talent to do it. According to a recent Ponemon study, 79% of healthcare organizations said it was difficult filling CISO positions, and 51% currently did not have a CISO role.2 As difficult as it is to recruit a CISO, retaining one might be even harder. ZDnet recently reported that the average tenure of a CISO is just 26 months.3
Additionally, while cybersecurity is often thought to be technical in nature, the reality is that security in healthcare involves a myriad of processes and procedures that go beyond technical controls. It requires a strong understanding of HIPAA, partnership with the privacy function, and a multifaceted, risk-based approach to security. In addition to these skills, an effective program requires strong leadership, direction, and focus to enact change and ensure the program is well executed.
Cyberattacks and Breaches are on the Rise in Healthcare
As discussed in Clearwater’s white paper The Year in Healthcare Information Security and Privacy Regulations and What Lies Ahead for 2020, breaches healthcare increased extensively in 2019. The number of breaches reported to the Office for Civil Rights in 2019 was 33% higher than in 2018 while the number of individuals involved in those breaches has grown even more substantially at 195%. The number and intensity of cyberattacks has increased further recently with the rise in telehealth and telework, which have been implemented expeditiously to apply social distancing measures to avoid infection of COVID-19.
Ransomware has reached an all-time high, as cyber criminals target the healthcare industry due to its willingness to pay ransoms in exchange for unlocking systems and data that can save patient lives. The influx of new information systems, exponential growth in records, and increased rate of sharing of sensitive patient information creates a growing attack surface, while the sophistication and intensity of threat actors continues to grow.
It is safe to say that if an organization is handling ePHI, even as a third-party business associate, it is likely to be targeted by cyber criminals, as we saw in the 2019 breach involving the now bankrupt American Medical Collection Agency4. Security programs must be built in accordance with the standards and expectations required to protect sensitive patient information, and they must be managed and adapted on an on-going basis to address evolving threats. Assessing and responding to the risks of cyberattacks in a healthcare setting is a critical function and can be best served by healthcare privacy and security experts.
Outsourcing Can Drive Cost Savings
In addition to the practical reasons of outsourcing a HIPAA compliance and cybersecurity program to an expert service provider, there is also a compelling economic reason to do so. According to payscale.com, the average compensation for a Chief Information Security Officer (CISO) is $167,000 per year5.
In addition to security leader compensation, healthcare organizations will incur other costs to execute an effective program. For example, healthcare compliance experts might be required to develop or assess policies and procedures and training programs in accordance with the HIPAA Security Rule. The business associate will require tools and consultants to conduct its annual risk analysis and to perform penetration testing and vulnerability assessments on an on-going basis. These and other costs, when added to the cost of the CISO, may equate to an investment of hundreds of thousands of dollars annually.
On the other hand, outsourcing this program to a service provider provides the business associate with access to all of the service provider’s expert resources, as well as its assigned virtual CISO. This approach creates efficiencies by consolidating services under a single vendor that is managing the business associate’s entire program and results in a total cost that is less than the cost of hiring a full-time CISO.
Focus on Building Your Business
Finally, by partnering with a third-party expert, a business associate can offload the distraction and burden of creating and managing its HIPAA compliance and security program to experts that do this work each and every day. The business associate also benefits from the experience that its partner brings from working with hundreds of other companies in the healthcare industry. Working with a partner such as this enables the business associate to redirect its resources to building and operating its business, while the partner focuses on protecting it. In the best partnerships, the service provider collaborates with the business associate on activities ranging from responding to customer security questionnaires to building its long-term security roadmap in alignment with its business plan. The result is a strategic partnership where both parties are working together with the common goal of achieving the business associate’s strategic objectives.
An Effective Way to Meet Customer Demands
As the digital transformation accelerates in healthcare, we will continue to see more vendors handling larger amounts of ePHI, while cyberattacks continue to increase. Healthcare organizations will continue to demand that their vendors bolster and mature their HIPAA compliance and cybersecurity programs. These programs are and will continue to be a competitive advantage for those who manage them well. Managing them internally will continue to be a challenge and distraction for many companies. Outsourcing HIPAA compliance and cybersecurity programs to an expert in healthcare privacy and security is an effective way for business associates to meet customer demands, reduce costs, and most importantly, focus internal resources on what matters most – serving their customers and growing their business.
This is part 1 of a two-part series focused on the case for business associates outsourcing their HIPAA compliance and cybersecurity programs. In part 2, Chris Cashwell, SVP of Healthcare Solutions for Digital Reasoning, discusses what to look for when selecting a vendor.
References
[1] https://www.advisory.com/daily-briefing/2019/08/13/data-breach
[2] https://mms.businesswire.com/media/20180312005302/en/645429/5/3263467_Merlin-Ponemon_infographic.jpg?download=1
[3] https://www.zdnet.com/article/average-tenure-of-a-ciso-is-just-26-months-due-to-high-stress-and-burnout/
[4] https://www.zdnet.com/article/medical-debt-collector-amca-files-for-bankruptcy-protection-after-data-breach/
[5] Estimated base plus bonus compensation in Nashville area. Pay varies in other parts of the country. https://www.payscale.com/research/US/Job=Chief_Information_Security_Officer/Salary/1c656d97/Nashville-TN
