Healthcare Perspectives


Opinion: It’s time for a federal third-party security certification in healthcare

Sep 06, 2019
By: Rick Ensenbach

It’s clear to healthcare organizations that cyberattacks are becoming more common — and more sophisticated. The statistics say: More than 83% of organizations have seen an increase in cyberattacks in the past year, 66% say they were targeted by a ransomware attack during that timeframe, and many healthcare organizations see an average of 8.2 cyberattacks per month. 

While many organizations are becoming more mindful of their cybersecurity risks and are making investments in technology to detect and contain attacks, budget remains an issue. Cybersecurity is no different than any other cost center for a healthcare organization. It must compete for budget, which means cybersecurity professionals are asked to demonstrate through metrics why they need the budget they’re asking for. 

But despite the evolution of cybersecurity solutions — including managed detection and response — to help mitigate the risk of an attack and minimize the impact of one, healthcare continues to lag behind other industries in cybersecurity. It spends less than half as much on cybersecurity as other industries, yet it’s highly targeted for its valuable patient data. To make matters worse, cybersecurity budget is often embedded with information technology’s (IT) budget, creating even more competition for money

For all these reasons, it’s time to require healthcare organizations to meet a specific set of standards through a third-party certification. 

Mandating healthcare security certification

Just as financial institutions have been audited by the Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC) and other bureaus for decades to help protect consumers, it’s time for another high-risk industry to meet similar standards. 

Healthcare has always been self-accredited. But with the rising number of data breaches and ransomware incidents, it’s becoming clearer that voluntary accreditation through the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) and the National Committee for Quality Assurance (NCQA) isn’t good enough. Third-party certification must become federally mandated, with a set of fixed standards, for healthcare organizations to take the steps necessary to protect patient information against cyberattacks and ensure patient safety.

At the moment, the only audits the Office of Civil Rights (OCR) performs is in response to a whistleblower complaint or if there’s a reported breach. But the type of audit they perform — remote first, to gather data, and then over the phone, and finally on-site if the situation warrants it — would happen to every healthcare organization once a year if the industry were to follow the financial institution industry’s lead. 

You have to admit that an annual audit where an auditor could show up at any time would certainly drive healthcare organizations to look at how they need to improve their information security. But what if they were already certified?

The benefits of security certification to healthcare organizations

I know healthcare organizations can see the downsides to third-party certification through the time and dollar commitment it would require, but there are benefits.

First, if you become certified through the program, the government would recognize that you’re taking the necessary steps to minimize risk and protect patient security. This means you wouldn’t be subject to the annual audit to check up on your cybersecurity and risk management.

Second, because getting certified demonstrates to the government that you’re doing what you can to reduce the chances of a data breach, if you wereto experience a breach, that would allow you to prove to OCR that you were doing your due diligence. This means OCR would be much less likely to levy a heavy monetary fine after its investigation concludes. 

Keep in mind, certification is not a one-time occurrence. Formal certification usually requires periodic checkups (i.e., annual) and recertification after a designated amount of time (i.e., bi-annually), typically prior to the anniversary of being previously certified.

Third, there is a marketing opportunity here. Over the past decade, the public has gotten much savvier when it comes to security. So as time goes on and the public becomes more aware of this third-party certification and how it helps protect them, healthcare organizations will be able to market the fact that they are certified. In larger, more metropolitan areas, this can also prove a competitive advantage. 

Lastly, certification could also result in reduced cyber insurance premiums.

How likely is mandated healthcare security certification?

At the moment, HITRUST is a valuable third-party certification that the government could consider mandating. Or the government could create its own program. 

But whatever the case, third-party certification could become a viable option if large healthcare breaches keep occurring and the more Congress hears from constituents concerned with how their data is protected. Even state attorney generals, who are empowered to performed HIPAA investigations, could push requirements through local government and eventually drive the federal government to mandate certification. 

By no means am I stating certification is a “silver bullet.” I would assert that at the very least it would keep cybersecurity forefront with organizational leadership. I believe we are at a point where something must be done. Rather than waiting to see if third-party certification will happen, why not be proactive and reap the benefits of certification? This includes showing your patients that you are serious about protecting their data — whether that’s through HITRUST certification or cybersecurity solutions.

Want to read more about healthcare and information security?

Why Measuring Needs to Be a Standard of Your Information Security Program

Does Your Health Care Organization Struggle With Risk Management?

Health Care Cybercrime Is on the Rise. Who’s in Charge of Your Security?


Director, Risk Advisory Services
View Profile
Healthcare Perspectives blog
Subscribe to Healthcare Perspectives