The country’s leading health information technology professionals convened at the Office of the National Coordinator for Health Information Technology (ONC) Annual Meeting on January 27th and 28th for sessions covering the latest in health IT innovation, best practices, and policy.
Attendees and speakers alike discussed the importance of security, especially in the digital health and patient data-sharing era. One such session featured the Together.Health Security Assessment (THSA), an open source framework that aims to make the security review process more efficient for health systems and vendors (startup and established) while maintaining security standards that protect patient information.
The THSA is the first project born out of Together.Health, a collaborative of healthcare accelerators, incubators, innovation programs, governments, and associations that works to share best practices, inform stakeholders, and catalyze the adoption of digital health innovation. The THSA is led by MassChallenge HealthTech, a digital health program based in Boston, Massachusetts that enables collaborative partnerships between startups, industry partners, and governments from around the world.
THE PROBLEM
Covered entities (oftentimes referred to as health systems or providers) and vendors typically sign business associate agreements prior to working together or exchanging patient health information. Generally, the process of executing a business associate agreement begins when providers ask vendors to complete security or risk assessments. Our observations based on over three years of research show that these assessments can be lengthy, take months to complete (often six to nine months), and differ from provider to provider. Despite the operational burden, these assessments are crucial to protecting patient data under HIPAA.
While HIPAA guidelines are publicly available, the industry implements those guidelines non-uniformly. The lack of standardization creates an environment where vendors and covered entities experience significant delays and can be costly for vendors who want to work with health systems. After dedicating legal and technical capital to fill out an assessment, vendors often have to restart the whole process to partner with a different provider. This is especially harmful to startups with scarce resources.
“Startups say they have a limited amount of runway and we [startups] have a burn rate. If this process runs longer, we have to really think about dividing up our resources to answer this.” Stephen Konya, ONC’s Senior Innovation Strategist, shared the startups’ perspective on struggles with security assessments at the session.
Additionally, startups don’t know what they’ll need to comply with until the health system shares its assessment, often months into a partnership. Nick Dougherty, Managing Director of MassChallenge HealthTech said during the panel, “We understand that building a startup is already like riding a roller coaster. You shouldn’t have to wait two hours in line to find out you’re not tall enough to get on the ride. That information should be posted before you get in line.”
The burden is not limited to the startups. Providers know that partnering with startups is an avenue to innovation, but most hospitals are dealing with legacy systems and have limited IT bandwidth. During the panel, Hayley Hovious, President of the Nashville Health Care Council said, “The number one thing we hear from our members is our procurement process is so top heavy and so difficult.”
Providers feel similarity frustrated with balancing innovation with the need to protect patient data and critical infrastructure.
“This is time consuming, hard work on the health system side as well,” Brigham and Women’s Hospital’s Chief Information Officer Dr. Adam Landman said at the panel. “We are not trying to be hard on startups; we really want to understand the product and make sure it has the appropriate security measures to protect healthcare data.”
THE SOLUTION
With ONC bringing the right people to the table, Together.Health formed a working group of leading healthcare CIOs, CISOs, cybersecurity professionals, vendors, startups, and more. MassChallenge HealthTech, Together.Health, Datafy, Censinet, and Netspective analyzed hundreds of security assessments, hosted focus groups across the country, and consulted with experts through monthly update calls.
The three years of work culminated to the release of the THSA. The THSA uses the Secure Controls Framework (SCF) to translate a hospital’s unique security assessments into existing frameworks. SCF is a free-to-download framework that connects best practice security controls with top frameworks such as NIST 800-53 and SOC 2 as well as HIPAA. The idea is that health systems map their unique questionnaires to SCF and share them with Together.Health. Together.Health then creates guidelines based on the most commonly mapped questions. An entrepreneur can then look to the Together.Health guidelines to prepare themselves for any risk assessment or use the health system’s SCF-mapped questionnaires to more rapidly complete their assessment.
While still in its Alpha version, the framework is an important step in improving the efficiency of security reviews. The goal is for vendors and startups to prepare for and meet provider standards more readily, saving them time and money. With this approach health systems can continue to use their own assessments and feel more confident that vendors are secure.
“Having some sort of standard questionnaire is just as beneficial for the systems as for the startup,” said Christina Mazzone, Cybersecurity Risk Officer at PTC and the former Information and Security Officer at Brigham and Women’s Hospital said at the panel. “We need to partner together to streamline the process for the patient community and get better outcomes.”
ADOPTION
A common and open source security assessment is possible if the healthcare innovation community works to adopt together. Together.Health is asking health systems and startups alike to help with the mapping and adopt the process.
Hospitals around the country committed to do the mapping, including Brigham and Women’s Hospital of Boston. “Now that we have a way to map our assessments, hopefully it makes the vendor’s life easier, it definitely makes our lives easier,” Landman said. Together.Health is recruiting other hospital across the country to map their assessments to SCF.
The THSA has massive potential to fuel innovation in healthcare innovation ecosystems. Hovious of the Nashville Health Care Council said, “Nashville is the provider capital of the U.S., this helps our innovation ecosystem as well. When you take innovation and affect patient lives at scale, this is really what Nashville is all about.”
MassChallenge HealthTech is piloting the THSA in this year’s program. The accelerator plans to provide curriculum and training to their startups to help prepare them for risk assessments with providers. Additionally, program partners, or “Champions”, are mapping their assessments to the SCF.
“In this year’s cohort, 25 out of 27 startups will be going through the THSA process to increase their security preparedness,” said Dougherty. “We believe this is an important step to ensuring we secure our most private data.”
HOW YOU CAN GET INVOLVED
Together.Health is asking the healthcare community to contribute to the project and spread the word to health systems and startups across the country.
If you want to learn more about the project or hear from the Together.Health team directly, sign up for our webinar on Wednesday February 26th at 2PM ET.
Health systems can map their assessments to SCF here or reach out to the Together.Health team to learn more.
Startups, download the THSA guideline and check to see if you meet the security standards recommended by the majority of Together.Health system providers.
Planning to attend HIMSS20 this March? Join the Together.Health 2020 Spring Summit on Tuesday, March 10th in Orlando to learn more about the Together.Health collaborative in person.
Together, we can create an open-source recommendation for better healthcare security.