HITRUST CSF certification will become the standard for contact centers in the healthcare market
By Brandon Harvath
Data security breaches are rampant in today’s complex technological environment. According to the Office of Civil Rights (OCR), healthcare data breach numbers are staggering. In 2015, 253 healthcare breaches affected more than 112 million records. Healthcare industry players are increasingly concerned about their ability to achieve and maintain the highest levels of data security. The sobering truth is that most healthcare organizations, including contact centers, are one data breach away from a catastrophe.
Global data attacks continue to be extremely sophisticated and, faced with a steady stream of hacker headlines, the public is becoming more concerned about its own personal data. Is our industry taking all precautions to safeguard personally identifiable information (PII) and protected health information (PHI)? Progressive contact centers are working diligently to address the challenges.
A Stringent Approach to Protecting PII and PHI: In transacting daily business, consumers share a great deal of personal data with unknown persons who answer the phone as the voice of a trusted business entity. Consider how many times each of us has called a company’s contact center and shared personal information. This practice has become so routine that most of us barely give it a second thought.
The security of PII and PHI is only as strong as the chain’s weakest link. Toward this end organizations spend millions of dollars annually on anti-hacking software and other privacy and security programs. Unfortunately it takes just one click of a spam email for the fragile system of data security to be shattered.
Health insurers and their vendor partners face a tremendous challenge today in complying with the mandates of a multitude of federal and state agencies, including the regulations put forth by the Health Insurance Portability and Accountability Act (HIPAA) and its complex privacy and security rules. Many of today’s privacy and security issues were not even envisioned when HIPAA was enacted in 1996, so it is incumbent upon the industry to be progressive in its achievement of data security. This requires a holistic approach that encompasses not only HIPAA, but also complex standards formulated specifically to mitigate broad-ranging privacy and security risks. One organization has emerged to require healthcare organizations implement this sophisticated set of standards: Health Information Trust Alliance (HITRUST).
At the foundation of HITRUST’s offerings is the common security framework (CSF), a certifiable infrastructure that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. Developed in collaboration with healthcare and information security professionals, HITRUST CSF merges healthcare-relevant regulations and standards into a single overarching security configuration. HITRUST CSF has become the most widely adopted security framework in our nation’s healthcare industry as it helps organizations via an efficient, prescriptive framework for managing the security requirements fundamental to HIPAA.
Attention is turning toward achievement of the level of security HITRUST CSF demands. In June 2015, for example, HITRUST announced that a growing number of major healthcare organizations, including key health insurance companies, would now require their business associates (BA) to obtain CSF certification within the next twenty-four months.
Those contact centers that have already committed the time, finances, and other resources necessary to earn such a stringent certification are on data security’s leading edge. Those that have not will need to act quickly to remain partner vendors with this growing group of certified healthcare clients.
One Contact Center’s Journey: Achieving what many view as the Holy Grail of world-class healthcare data security does not come without tremendous investment: communicated management commitment, dedicated resources and rigid processes and controls. In our experience, the contact center attempting to reach this goal must adhere to a number of controls that are focused on three mission-critical areas: technology and systems, process, and people. Because a detrimental glitch can occur within any of these areas at any time, compliance within a multitude of data security categories (HITRUST has more than sixty) must be assured.
Access to information systems, for example, is to be role based, in compliance with HIPAA guidelines, and is determined based on an intense evaluation of one’s role within the organization and within a specific program assignment.
Our management evaluates each job function to provide the minimum necessary access to information systems and data needed to satisfactorily perform individual tasks. Monitoring is strict and includes ensurance of procedural compliance in all prescribed areas. With HITRUST certification at the core of our data security program, these are a sampling of best-in-class practices that contribute to our continued compliance:
- Zero-Tolerance Corporate Culture: All employees and associates take ownership and accountability for data, working to “protect it as their own,” and embody the core values of trustworthiness, respect, responsibility, fairness, caring, and integrity in all their actions and practices. The organization also maintains and enforces a code of conduct in which nothing less than absolute integrity is expected and accepted.
- Compliance Training and Testing: All employees and associates are required to satisfactorily complete a range of training topics that include compliance and ethics, HIPAA, security awareness, and HITRUST. Training is conducted online and concludes with knowledge checks. The chief compliance officer (CCO) and chief technology officer (CTO) present during client and product training and are also available for team-specific training.
- Limited and Monitored Access to Data: In addition to firewalls that block unauthorized access to specific computer-generated communications, Wi-Fi access is not accessible on company premises. Work teams have access only to the suite where they are assigned, and a strict, badge-access policy is enforced. Teams have access to all information needed to respond in a highly expert way to their customers, but they only have access to information specific to their program.
- Maintenance of Physical Security: Physical security is ensured through the implementation of a facilities security plan, which details all security elements (doors, entryways, security cameras, desk environment, and vendor compliance) and the necessary steps to accomplish absolute security. Clean rooms and clean production suites create environments to protect PII and PHI from risk of sharing by prohibiting cell phones, cameras, and other personal electronics as well as paper and pens so that PII or PHI is not written down as calls are handled. Supervisors continually monitor production floors and individual work areas.
- Ethics Reporting Hotline: Data security issues are paramount and the importance is consistently communicated to all employees and associates. Employees and associates at all levels within the organization are encouraged to report – anonymously via website, telephone or email – any and all data security concerns to the CCO or chief human resource officer. A strict non-retaliation policy is vigorously enforced. Senior leadership is committed to providing avenues through which ethical issues may be revised, reviewed, and resolved openly and honestly. The CCO maintains an open-door policy for employees and associates to ask questions on how to maintain ethical standards or flag a potential problem.
- Continual Process Improvement: As part of HITRUST CSF certification, we are required to continually demonstrate improvement. Certified organizations are subject to an annual review as well as quarterly improvement updates, and they must consistently demonstrate improvement of maturity level as it relates to a multitude of privacy and security protocols.
The proliferation of technology we take for granted today, and which didn’t exist a decade ago, has necessitated the need for stringent controls and data oversight. HITRUST CSF certification and other marketplace compliance certifications will soon become the standard and the price of doing business in the healthcare market. The security of consumers’ data – and the survival of our healthcare contact centers – clearly depends upon it.
Brandon Harvath is senior vice president of operations for Corporate Call Center, Inc. (CCC), a customer interaction company specializing in providing complex, high-touch services within the healthcare insurance and other highly regulated markets. CCC, a multi-site contact center, is headquartered in Blue Bell, Pennsylvania. Harvath can be reached via email or 215-283-4202.