HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HITRUST CyberAid Cybersecurity Initiative Trialed in North Texas on Small Healthcare Organizations

Large healthcare organizations have the budgets and resources for complex cybersecurity solutions to prevent intrusions and keep the protected health information of patients secure. However, smaller healthcare organizations, in particular physician groups with fewer than 75 employees, face considerable challenges.

Many cybersecurity solutions are not ideal for the small business environment and the cost of implementing appropriate defenses against cyberattacks can be prohibitively expensive. However, effective cybersecurity solutions must be deployed.

Healthcare organizations are now being targeted by cybercriminals and smaller organizations face a high risk of attack. Hackers are well aware that the defenses of small healthcare organizations can lack sophistication. This can make small practices a target for hackers.

If a successful cyberattack occurs it can be catastrophic for small practices. The cost of mitigating risk after a cyberattack is considerable. Many healthcare organizations lack the funds to deal with cyberattacks. This was clearly demonstrated by the cyberattack on Athens Orthopedic Group. A breach response was put in motion, but credit monitoring services could not be provided without financially crippling the business.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Small organizations therefore need to deploy security technologies to prevent data breaches; however, choosing cost-effective cybersecurity solutions that offer the necessary level of protection can be a major challenge.

Research conducted by the Health Information Trust Alliance (HITRUST) shows that small healthcare organizations often struggle to choose the best cybersecurity solutions. They also experience difficulty deploying, operating, and maintaining those solutions. Training staff on the use of IT security tools is also a problem, as is demonstrating that those solutions are compliant with HIPAA.

HITRUST CyberAid Developed to Help Small Healthcare Practices

Last week, HITRUST announced it has embarked on a new cybersecurity initiative – termed HITRUST CyberAid to help smaller healthcare organizations address increasing cyber risks and keep sensitive data protected.

The purpose of HITRUST CyberAid is to help smaller healthcare organizations find the most appropriate and cost-effective cybersecurity solutions to deploy. This will help to make sure that those organizations can concentrate on providing care to patients.

By participating in the HITRUST CyberAid program, healthcare organizations can choose solutions that offer an effective level of cyber threat protection while ensuring compliance with the HIPAA Security Rule. The solutions also allow small healthcare organizations to share indicators of compromise (IOCs) with the HITRUST Cyber Threat Xchange (CTX). Currently few small healthcare organizations have the resources to be able to consume and share threat information.

Effective and Affordable Cybersecurity Solutions

The solution providers included in the program are able to offer products that have the necessary technical and operational capabilities at a price point suitable for small healthcare organizations. HITRUST has determined the optimum price for a full CyberAid package is $25-$60 per user, per year.

Organizations that choose to deploy a HITRUST CyberAid solution will receive assistance with installation, monitoring, training, and support. HITRUST will also monitor the effectiveness of the solutions in terms of the ability of those solutions to mitigate cyber risks, the capacity to support the sharing of IOCs, the affordability of the solutions – both in terms of initial and ongoing costs, proficiency in facilitating streamlined security assessments, and practicality of the solutions.

Initially, the technology and security bundle provided under the program includes a Trend Micro cloud-hybrid network security appliance and endpoint security software. Assistance is provided with installation and monitoring services. In the event of a security incident occurring, recovery assistance will also be offered.

As the program develops, HITRUST expects to incorporate further cybersecurity packages from other IT security vendors to broaden the choice available to small healthcare organizations.

According to Daniel Nutkis, CEO, HITRUST “Effectively addressing cyber security challenges, engaging in cyber information sharing and streamlining the HITRUST CSF Assessment process for physician practices have been a goal of HITRUST,” Nutkis went on to explain, “This program is a big step forward towards those goals.”

Children’s Health Named as First Partner

HITRUST has announced that Children’s Health℠ is the first partner organization in the HITRUST CyberAid program. Children’s Health℠ will work on informing the physician community of the importance of threat information sharing and will assist with recruiting healthcare practices into the program.

Children’s Health℠ is the eighth largest pediatric healthcare provider in the United States and has a strong presence in North Texas where the trial is taking place. In addition to outreach, Children’s Health℠ will help with the evaluation of the program and will gauge satisfaction and feedback to HITRUST.

According to Pete Perialas, senior vice president and chief strategy officer, “Identifying solutions that address current and evolving cyber threats—not to mention implementing and managing these solutions—is daunting for a small practice.” Perialas went on to explain, “Participating in current models of cyber threat sharing can be prohibitive, whereas CyberAid puts these levels of protection within reach.”

Limited Trial to be Followed by Nationwide Expansion

The new cybersecurity initiative has been limited to small healthcare organizations in North Texas initially. 80 physician practices are taking part in the program, each employing between two and 15 physicians.  If the program proves successful it will be expanded to include organizations throughout the United States. The trial is expected to last for a period of three months, although HITRUST has announced that physician groups across the Unites States will be able to join the program from September 2016.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.