[{"@context":"https:\/\/schema.org\/","@type":"Article","@id":"https:\/\/share-dev.upmc.com\/2019\/05\/health-care-data\/#Article","mainEntityOfPage":"https:\/\/share-dev.upmc.com\/2019\/05\/health-care-data\/","headline":"Certifying a Secure Future for Cloud-Based Health Care Data","name":"Certifying a Secure Future for Cloud-Based Health Care Data","description":"UPMC is playing a key role in a national health care cybersecurity initiative that is pushing the industry to adopt HITRUST CSF certification.","datePublished":"2019-05-03","dateModified":"2023-02-01","author":{"@type":"Organization","@id":"https:\/\/www.upmc.com\/","name":"UPMC","url":"https:\/\/www.upmc.com\/","sameAs":"https:\/\/share-dev.upmc.com\/upmc\/","parentOrganization":"UPMC"},"publisher":{"@type":"Organization","name":"UPMC HealthBeat","logo":{"@type":"ImageObject","@id":"https:\/\/share-dev.upmc.com\/wp-content\/uploads\/2019\/04\/UPMC-HealthBeat-Logo.png","url":"https:\/\/share-dev.upmc.com\/wp-content\/uploads\/2019\/04\/UPMC-HealthBeat-Logo.png","width":600,"height":60}},"image":{"@type":"ImageObject","@id":"https:\/\/share-dev.upmc.com\/wp-content\/uploads\/2019\/05\/42.jpg","url":"https:\/\/share-dev.upmc.com\/wp-content\/uploads\/2019\/05\/42.jpg","height":540,"width":1920},"url":"https:\/\/share-dev.upmc.com\/2019\/05\/health-care-data\/","about":["Health Topics A-Z"],"wordCount":629,"articleBody":"A consortium of health care leaders is clearing the way to work together safely in a cloud-based world.Doing business via the cloud is becoming standard operating procedure for most large-scale companies, including health care organizations. But there are headaches that come along with the efficiency and economy of using public and private internet pathways when working with suppliers and customers. Chief among these concerns is security \u2014 as anyone whose personal data has been compromised knows.Lower Numbers, Higher StakesCompared to the business world, health care data breach numbers are lower \u2014 but the stakes are higher. In addition to patients\u2019 personal health information, the data that health care organizations may share with third parties via cloud-based software include physician notes, electronic medical records (EMRs), medical images, employee records, banking details, and more. Such detailed patient information makes health care data more valuable and highly desirable to hackers.At the same time, the use of cloud-based software in health care is increasing \u2014 a trend that presents organizations with a significant security challenge that\u2019s only going to grow in scope. \u201cMany of our vendors who provide critical applications \u2014 such as EMRs \u2014 are aggressively moving to the cloud,\u201d says John Houston, vice president of privacy and information security and associate counsel at UPMC. \u201cIn many cases, there will not be an option.\u201dExtensive Vetting Process for ComplianceOrganizations like UPMC have a process to vet the security of potential vendors. It typically involves an investigation and a long compliance questionnaire. It\u2019s a lengthy and labor-intensive process that, until recently, a vendor had to undergo for each prospective health care customer.That process is changing, thanks to a consortium of top health care leaders nationwide \u2014 including UPMC \u2014 formed in August 2018. Called the Provider Third Party Risk Management Council (PTPRMC), the organization is tasked with creating a single set of security standards for providers and vendors in health care.\u201cWe believe the health care industry as a whole, our organizations, and our third parties will benefit from a common set of information security requirements with a standardized assessment and reporting process,\u201d says Houston. \u201cWe are strongly encouraging other provider organizations to follow suit and adopt these principles.\u201dA Common Framework for ComplianceTo provide this common set of requirements, the council has chosen the HITRUST cybersecurity framework (CSF), along with its assurance programs. All council members are requiring their third-party vendors to become HITRUST CSF certified within the next 24 months. HITRUST CSF certification will serve as PTPRMC\u2019s standard for third parties providing services that require access to sensitive patient information.The HITRUST CSF Assurance Program is the most widely-adopted assessment approach used by health care organizations and third parties to evaluate and communicate their information privacy and security posture.\u201cSince many small- to mid-sized providers do not have the capability to assess the security and controls of their vendors, this initiative helps all providers \u2014 large and small \u2014 to ensure that their data remains secure,” says Houston. “These providers can access the HITRUST information via a portal during the procurement process to ensure that the vendors they\u2019re considering have implemented adequate security and controls.\u201dStamp of ApprovalBy ensuring that vendors share a single information security, privacy assessment, and certification program \u2014 such as that offered by HITRUST \u2014 health care entities can benefit “plain and simple with four C\u2019s: consistency, cost, commitment, and completeness,” says Houston. \u201cWe\u2019re providing the playbook on how to operate securely\u00a0and work with large systems. If you\u2019re a vendor who wants to work with UPMC or one of the other leaders in health care, you no longer have to go through a long, costly security certification process. Show up at the doors, present your HITRUST CSF stamp of approval, and go to work.\u201d"},{"@context":"https:\/\/schema.org\/","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"2019","item":"https:\/\/share-dev.upmc.com\/2019\/#breadcrumbitem"},{"@type":"ListItem","position":2,"name":"05","item":"https:\/\/share-dev.upmc.com\/2019\/\/05\/#breadcrumbitem"},{"@type":"ListItem","position":3,"name":"Certifying a Secure Future for Cloud-Based Health Care Data","item":"https:\/\/share-dev.upmc.com\/2019\/05\/health-care-data\/#breadcrumbitem"}]}]