MedReview Achieves Gold Standard in Secure Technology With HITRUST Certification and a Seat on Panel of Cyber Experts
NYCHSRO/MedReview’s growth projections for 2018 got a significant boon just before the New Year with our certification as a HITRUST healthcare organization. The Health Information Trust Alliance, comprised of IT and security personnel of major organizations nationwide, grants this certification to entities who have demonstrated that all necessary security is in place to protect any personal healthcare information coming over the transom, electronically or otherwise. Notification of our HITRUST status followed a yearlong effort by two dozen staffers under the direction of SVP of Operations Spencer Young and CTO Dan McNamara to meet the rigorous demands. In March, on the heels of this success, CTO McNamara joined a trio of IT experts for a panel discussion on “AI for Cyber Defense” at the invitation of Darktrace, a noted San Francisco-based cybersecurity solutions provider for healthcare, biotech and pharma.
Since the advent of HIPPA in 1996 and the coining of the term PHI—protected health information—the business of healthcare in the technological age has been hit by continuing waves of regulations concerning the secure transfer and storage of patient information and medical records, including payment history. These regulations govern how we share such information down to the minutest identifiers, such as zip codes; vehicle and license numbers; web addresses; biometric identifiers such as finger, eye, and voiceprints; and any unique identifying number, characteristic or code except the unique code assigned to code the data. You read that correctly: new code configured to disguise existing code. The reality is beyond Orwellian.
In fact, HITRUST certification is the highest security clearance granted within the healthcare industry and related cloud-based businesses, including Amazon. “The HITRUST Alliance leads the charge,” states CTO McNamara. “It’s the gold standard.”
To achieve the title, a dedicated team from MedReview’s IT bullpen had to build and test complex new infrastructure while a second team from the executive suites, with a critical assist by WeCARE Program Director Debra Rush-Murphy, wrote and rewrote policies and procedures to ensure compliance. The infrastructure team alone included eight staff, two of whom were new hires specifically brought in to achieve and maintain HITRUST compliance.
“Our tech team supports, configures and manages IT—from the workings of the keyboard on your desk to corporate security,” McNamara explains. “Reviewers, human resources, operations, clerical staff, chief officers—every end user at MedReview had to change the way they work. On-site third-party assessors went through our documentation to confirm that we had implemented mandatory password requirements, PHI clean-desk policies and other controls. HITRUST impacts every employee, no matter their job,” the CTO states.
Moreover, as rigorous as the requirements are, the Alliance moved the goal line just as MedReview was rounding to the finish. Ten days before our due date, the Alliance issued new controls, including rewritten versions of the original 180 plus 80 more. “We had to redo it all from scratch,” McNamara states, “but our process had been so orderly we completed our updates in a month.”
SVP Young also commented on the rigor of the twelve-month application process. “The HITRUST Alliance did not conceive the designation with small or medium-sized businesses like ours in mind,” he said. “At times, we had to work backwards, figuring out how we did a task step by step in order to write procedures, or acquire new hardware because our infrastructure did not support their requirements.”
One of the most significant upgrades mandated under HITRUST rules was the creation of a disaster recovery site off premises, which must function as an exact duplicate of the security infrastructure at Water Street. “We had to run tests to ensure that if one site crashes, all current data is saved at the other site, and vice versa,” Young explains. We had to bring down the entire system intentionally and bring it back up again. And, we had to achieve a specific minimum score to pass.”
NYCHSRO/MedReview succeeded in scoring very high marks with only minor findings that were easy to correct. Nevertheless, the work continues, as HITRUST certification is renewable biennially via the identical steps, plus any new specifications. “We start the application process all over again in 2019,” states McNamara.
Still, he is undaunted.
“We have built a really robust security program and we work hard to maintain it, so it will never be as difficult again,” he asserts. “It’s turned us into a security-first organization. We are exemplary to other organizations big and small. We are doing a better job at security than some major hospitals and financial institutions.”
An added bonus for all this work, notes MedReview’s CTO, is the well-earned allure our HITRUST status provides in the marketplace. His invitation to speak on Darktrace’s expert panel is one such example. The exclusive event moderated by Nicole Eagan, CEO of Darktrace and winner of the World Economic Forum Technology Pioneer Award, addressed security challenges in the healthcare sector and the use of artificial intelligence on the “frontlines of the battle” to detect ransomware and cyber threats. McNamara’s co-panelists were IT directors for Metropolitan Pathologists in Colorado and Country Life Vitamins in New York.
“As a customer, MedReview uses Darktrace technology as a way to incorporate machine learning into our own cyber defense efforts,” says McNamara. “This enables us to remain on the cutting edge as we maintain HITRUST requirements without employing additional staff.”
Our rising profile as a HITRUST healthcare company provides another boon to MedReview’s bottom line.
“We had been working for five years to win a DSRIP contract with one of New York’s largest and most prestigious medical centers. Their decision-making process includes a risk assessment, and after receiving our official notice, I let them know that we are HITRUST certified,” says CTO McNamara. “The person on the other end said, ‘That’s all you had to tell us.’ Our new contract came through shortly after.”