BLOG

Blog Post by Brian Selfridge, Partner at CORL Technologies

---

Healthcare has become a prime target for malicious actors bent on profiting from the resale and reuse of patient information. Healthcare entities are scrambling to sure up security controls for their own organizations and third-party business partners as the sprawl of patient information continues to drive widespread data breach events.

Many healthcare Covered Entities and Business Associates servicing the industry are pursuing or evaluating enterprise security certifications to provide assurance of their security program and control effectiveness to the market. Some of the most common security certifications and attestations in healthcare include SOC 2 (AICPA), HITRUST, and ISO.

The decision to acquire a security certification, however, is not always clear-cut. Below are some pros and cons for organizations considering if the timing is right to acquire a formal security certification.

THE PROS

• Security certifications have become a contractual requirement for third parties looking to do business with many of the nation's leading healthcare organizations
• In the case of an OCR audit, cybersecurity certifications demonstrate compliance with HIPAA regulatory requirements and provide a high degree of assurance to auditors
• Certifications compel the organization to adopt formal security policies, procedures, and controls and strengthen the overall security program, which reduces the likelihood and impact of breach events
• Certifications can significantly reduce the time spent responding to detailed security questionnaires and audits which can reduce sales cycles and cost
• Certifications in many cases can create a competitive advantage for products and services looking to demonstrate capabilities for protecting sensitive healthcare information
• In the event of a security breach and subsequent regulatory investigation, certifications can demonstrate that the organization took reasonable and appropriate efforts to comply with HIPAA security requirements and may reduce the amount of Civil Monetary Penalties
• Public trust and brand reputation can be enhanced for entities that formalize their commitment to securing sensitive patient information via a certification

THE CONS

• Annual recurring costs are often required to establish and maintain certification
• Audit and documentation collection and updates can become an added burden to often-strained IT teams
• Certifications may be encouraged or required by customers in highly regulated industries like Healthcare and Financial Services, but they may not drive as much value for businesses that operate predominantly in less-regulated sectors
• The scope of certifications in some cases may be limited to specific applications or platforms and could leave other portions of the business susceptible to breach events due to less-restrictive controls applied to non-certified systems

Security certifications are trending toward becoming required for many organizations that service the healthcare industry. Choosing which certification best suits your organization and customer base is also a decision that requires careful analysis prior to taking on the investment to get certified.

Partnering with you to bolster your risk reduction efforts for your organization and throughout your vendor network is our primary purpose. Contact our team and let us know your thoughts and questions about security certifications. We’d love to hear from you.