As a data protection standards and development certification organization, HITRUST helps organizations safeguard sensitive data and manage IT risk across all industries and throughout the third-party supply chain. Since it was founded in 2007, the HITRUST Common Security Framework (CSF) has become the gold standard for compliance framework in the healthcare industry as it addresses the requirements of existing standards and regulations including HIPAA, PCI, COBIT, NIST, ISO, FTC, and state laws.
To become HITRUST certified, an organization must first complete a HITRUST CSF Readiness assessment to determine if the current alignment of its security and privacy controls relates to the requirements defined in the HITRUST CSF. The organization can then select a certified HITRUST CSF Assessor Firm that will perform several risk assessments, audits, and quality assurance procedures over the course of two to four months.
The HITRUST CSF has 19 different domains including healthcare data protection and privacy, endpoint protection, mobile device security, incident management, and disaster recovery. An organization will be scored on these assessments and must meet a minimum compliance level to become HITRUST certified.
Research has shown 97 percent of organizations that pursue a HITRUST Certified Security Framework certification rapidly improve their information security posture to meet certification and, most importantly, maintain their security posture. Furthermore, with a mature information protection program in place, organizations are less likely to suffer a breach and are more likely to be able to contain and minimize the impact of a breach, should one occur.
Organizations that implement a robust information security continuous monitoring (ISCM) program such as HITRUST to continually assess the state of their information security controls not only achieve higher levels of maturity, but also make better and more timely decisions.
Today, the average cost of a healthcare data breach is $429 per record. When organizations factor in the loss of productivity, the amount of civil complaints and fines levied, plus the public relations besmirching, the cost implications skyrocket. In 2018, the Department of Health and Human Services Office of Civil Rights concluded a record year in HIPAA enforcement activity – 10 settlement cases and one judgment totaled a whopping $28.7 million.
Though every industry is susceptible to cyberattacks, healthcare has experienced the largest growth in attacks over the years because patient records, insurance information, and social security numbers are more valuable on the dark web. Unfortunately, legacy systems may to be blame for the uptick in cyberattacks. Forescout researchers determined 53% of common medical devices are still operating on traditional, legacy platforms.
Legacy systems, insufficient access controls, and the proliferation of medical IoT devices have created security vulnerabilities that leave hospitals wide open to cyberattacks. Research from Vectra found that the majority of legacy systems are unsecured because healthcare organizations simply can’t afford the amount of downtime that patching requires.
To guarantee that unstructured data is transmitted securely, healthcare organizations must extend their analog fax machines to a hybrid-cloud network that is HIPAA complaint and provides end-to-end encryption, two-factor authentication, and direct faxing capabilities.
By leveraging the cloud and delivering all faxes via HTTPS, outdated fax boards, media gateways, and the complex telephony stack are eliminated. Unlike a legacy analog fax infrastructure, hybrid cloud technology can ensure that time-sensitive protected health information (PHI) are delivered within seconds with high-resolution, near-diagnostic image quality, and the highest levels of encryption. The accessibility of fax, coupled with the scalability of the cloud, ensures the exchange of PHI among the healthcare ecosystem is protected. This allows patients to receive high-quality care without compromising their personal information.
Healthcare organizations know just how important it is to comply with the HIPAA Privacy Rule to protect sensitive and unstructured data such as patient records, scripts, discharge summaries, medical forms, authorizations, prescriptions, and insurance claims. However, in the event of an emergency, HIPAA compliance is usually the last thing on people’s minds. As a result, hospitals are often granted a HIPAA waiver of up to 72 hours from the time they first implement their disaster protocol. Unfortunately, without a HIPAA waiver, hospitals may face substantial liabilities and penalties for non-compliance.
Even worse, if a hospital’s network is affected by a natural disaster, cyberattack, or system outage, doctors may not be able to access medical records and patients will not receive the proper care. With any type of downtime, some disruption within a hospital is expected to occur. In some cases, these disruptions could be life-threatening. Reports have shown that more than 2,100 patient deaths are linked to hospital data breaches each year. Unfortunately, doctors are often so preoccupied with remediation activities after a breach occurs that patients no longer receive quality care.
Secure exchange network
To prevent tragedies, human errors, and system failures from occurring in the event of an emergency, healthcare organizations must utilize a HIPAA compliant, secure, and trusted network. The ideal secure exchange network will leverage hybrid cloud technology and military-grade encryption to provide 100 percent secure communications at all times. Document and fax transmissions sent via a trusted network will never traverse an external telephone network and, therefore, will remain secure between the remote client site and the secure exchange network at all times.
In addition to a secure exchange network, having a complete disaster recovery solution in place is business-critical. A disaster recovery solution works to ensure that organizations never experience downtime while inbound and outbound fax communications remain secure and protected from technical failures due to catastrophic events and natural disasters.
Government regulations require that specific industries, such as healthcare and financial services, comply with data privacy regulations. These compliance requirements serve to protect private, confidential, and sensitive information from unwanted intruders that could attempt to intercept files in transit. Though organizations can take measures to ensure that their email solutions are agreeable to these demands, an email message will typically pass through multiple servers before it reaches the final point of delivery. This indirect transmission method leaves mission-critical documents and other unstructured data potentially vulnerable.
Last year, the Federal Bureau of Investigation implemented a new policy prohibiting Freedom of Information Act (FOIA) requests via email. Now, people requesting public records must use fax machines, standard mail, or the FBI’s online portal to communicate with the agency’s records management division. While many thought it was a step backward for the FBI to use “archaic technologies” such as fax, industry veterans applauded the FBI’s decision to use one of the most trusted document delivery methods available today.
Communicating via email has many severe disadvantages and vulnerabilities including imminent threats of cyber hacking and hard-drive or server crashes which can compromise sensitive and confidential data. Despite its antiquated image, fax can ensure security, compliance and the guaranteed delivery of business-critical information more than email. Fax’s key role in healthcare data security best practices is the reason why the online fax market is projected to be worth $2.4 billion by 2022.
To guarantee the secure transfer of information between two endpoints, the ideal fax solution must utilize well-defined end-to-end encryption methods such as those defined in the Elliptic Curve Integrated Encryption Scheme (ECIES). This hybrid encryption scheme uses Elliptic Curve Cryptography to generate a shared secret between peers to seed the encryption process with unique keying material, while signing and authentication mechanisms assure the validity of the data in transit.
End-to-end encryption not only protects data at each endpoint, it also protects data at rest. Since information is never de-encrypted and re-encrypted, even if a third-party were to snoop on the information in transit, it would be indecipherable. Most importantly, end-to-end encryption schemes allow secure transmissions even over unsecured channels.
Hybrid Cloud Technology
While traditional fax transmissions are hampered by limitations associated with PSTN and telephony infrastructure at “analog modem speeds”, the cloud (a digital network) can offer a different and more effective approach. By leveraging the cloud and delivering all faxes via HTTPS, outdated fax boards, media gateways, and the complex telephony stack are completely eliminated.
In this series, we are featuring some of the thousands of vendors who will be participating in the HIMSS15 conference and trade show. Through it, we hope to offer readers a closer look at some of the solution providers who will either be in attendance – with a booth showcasing and displaying key products and offerings – or that will have a presence of some kind at the show – key executives in attendance or presenting, for example.
Even as HIMSS Media has said that its employees will be making more of an effort this year to cover the trade show floor and its vendors and events, hopefully this series will give you a bit more useful information about the companies that help make this event, and the industry as a whole, so exciting.
Founded in 2009, etherFAX offers a solution that extends existing fax server solutions to the cloud. By eliminating the need for costly network fax systems, such as fax boards and recurring telephony fees, etherFAX leverages the Internet to manage all business-critical fax communications for healthcare organizations.
etherFAX was established in 2009 and leverages talent with 30-plus years of experience designing and developing fax technology solutions. By eliminating the need for costly components such as fax boards, media gateways, and telephony infrastructure, etherFAX’s namesake technology, network and datacenter solutions leverage the Internet to manage business-critical fax communications.
As a hybrid fax solution, etherFAX eliminates the complexities and costs of provisioning SIP, T.38, PRI, T1, and other analog connections. By simply connecting on-premise fax server resources to etherFAX, all fax communications are securely delivered via the cloud. Say goodbye to expensive fax hardware, complex fault-tolerant designs, and costly disaster recovery solutions. etherFAX is the fax board in the cloud, capable of processing billions of faxes.
etherFAX serves the healthcare market by securely transmit electronic health records (EHRs), electronic medical records (EMRs), health information exchange data (HIEs) and unstructured patient data. etherFAX enables healthcare organizations and medical groups, insurance companies and billing operators to securely transport data and ensure compliance with government mandated regulations such as the Health Insurance Portability and Accountability Act (HIPAA).
Fully integrating with existing fax servers and applications such as EMR solutions and healthcare management systems, etherFAX leverages the Internet to manage all healthcare-critical fax communications without capacity constraints.
Services and Products Offered
HIMSS 15 Focus:
o etherFAX – Extending existing fax server solutions to the cloud, etherFAX eliminates the need for costly network fax systems, such as fax boards and recurring telephony fees. etherFAX leverages the Internet to manage all your business-critical fax communications.
o etherFAX SEN – Gives healthcare and enterprise organizations the capability to create their own private fax network to ensure secure data and document transmissions. Offering a simple and unique approach to document delivery, etherFAX SEN offers speed, performance and reliability without compromising security.
o etherFAX A2E – The etherFAX A2E device, manufactured by MultiTech, provides a plug-and-play device that enables organizations to extend their existing fax machines to the cloud.
etherFAX DR – Provides immediate failover for all business-critical fax communications, ensuring uptime when existing telephony equipment fails, such as fax boards, PRI lines, servers and applications.
etherFAX Toolkit – Integrating fax capabilities within applications has never been easier with the etherFAX API. The solution provides the capability to fax-enable custom developed applications in addition to enterprise resource planning (ERP), document management systems, etc.
etherFAX Colocation Services – etherFAX provides highly-secure, protected, and climate-controlled colocation services that are capable of supporting the most complex business-critical IT environments.
It’s obvious from the varying responses below that there are a plethora of health IT issues affecting a number of areas in and throughout hospitals. In reviewing a number of healthcare issues, the following thought leaders offer what they feel are the top IT issues in healthcare.
As is often the case in profiles such as this, the responses are diverse and varied. Do you agree with their assessments?
I work with hospitals nationwide and I find that the top issues facing the hospital are:
1. How to align the interests of the physician with the hospital in a world where the hospital takes risk? Physicians used to get paid by “time and material” in the old world and the hospital got paid by “contracted costs.” The new reality has both the physician and the hospital getting paid a fixed amount to then manage the cost of healthcare on a “fixed price” for lack of a better word. IT challenges: The tools in the “time and material” world are unsuitable to manage the new reality in a “fixed price” world. This is a top challenge.
2. Real-time P & L — If you ask a hospital CFO what the profitability of the current patients in Unit 10, they would give you a blank stare. This is because the do not know what they are going to get paid (the DRG or diagnosis-related group reimbursement) much less what their current costs are. Thus, the lack of visibility into managing costs creates havoc. IT challenges: Systems that can develop a view into costs and projected revenue require a lot of specialized people to provide the information even in hospitals that have a partial solution. Most hospitals do not know where to turn for new ways of thinking. This is a big IT challenge.
Doug Nebeker, owner and technical expert, Power Admin LLC Staying on top of compliance and auditing tasks is a top issue facing hospital IT departments today. As more and more data moves into the digital space, IT departments can easily become overwhelmed as staff gets bogged down with the tedious task of trying to keep track of what’s happening where in the system. Network monitoring software is seeing a boom as a result, quickly becoming an IT necessity for managing increasingly complex network auditing and compliance processes. Technology is meant to help, not hinder, and so as we continue to utilize it in new ways we must ensure our process management keeps pace.
Hospitals and other healthcare organizations will always have the need to exchange “unstructured” data. While there is a large focus on meaningful use, ICD and other mandates, many hospitals and organizations are not taking into account the need to quickly, affordably and securely transmit unstructured data while also staying HIPAA compliant. One of the main issues is that public cloud services are not HIPAA compliant. Healthcare organizations can work around this by extending their existing fax server solutions to the hybrid cloud, allowing both custom and popular EHR applications to communicate with each other via a private secure network, guaranteeing delivery with military grade end-to-end encryption. By eliminating the need for costly and cumbersome network fax systems, such as fax boards and recurring telephony fees, hospitals can leverage the hybrid cloud to swiftly manage all business-critical fax communications while staying HIPAA compliant.
David S. Finn, CISA, CISM, CRISC, ISACA professional influence and advocacy committee member, health IT officer, Symantec
Healthcare is undergoing fundamental changes in reimbursement, care delivery models and the technology required to make these changes. Technology and information is no longer an adjunct to the business of healthcare — it is a strategic imperative. This information, however, is among the most regulated and protected information under the law. The data must be shared more widely with more people and organizations, all the while with stricter security and privacy controls. At a high level, the most critical issues facing health IT are:
1. Security and Privacy
Healthcare, historically, has not invested in nor staffed appropriately in terms in of Privacy and Security. Providers and business associates need to catch up with other regulated industries and those targeted for the value of their data.
2. Data Management
The digitization of healthcare has led to the massive collection of data. As healthcare becomes more dependent on this data, the storage, protection, back-up and recovery of the data is critical. It must include disaster recovery/business Continuity.
3. Interoperability and Information Exchange
Affordable Care Organizations (ACO), health information exchanges (HIE) and new care delivery models (home care, remote monitoring and other requirements) will drive information exchange.