Willis Partners with HITRUST to Address the Healthcare Industry’s Cyber Exposures

July 23, 2015

The Health Information Trust Alliance (HITRUST), an organization supporting the healthcare industry in advancing the state of information protection, has partnered with Willis North America to identify a common approach and develop products to better align insurance premiums with cyber risk profiles, tailor insurance coverage and establish a more streamlined process of securing cyber insurance for organizations that process and store protected health information (PHI).

The increase in cyber-related threats, attacks and breaches at organizations that process and store PHI has led to significant challenges for businesses trying to secure cyber risk insurance. Substantial premium increases and a reduction in available policy limits have reduced the ability for organizations to secure adequate coverage. At the same time, more healthcare organizations are including cyber insurance requirements as part of their third party assurance programs.

According to the companies, there currently is no generally accepted assessment and risk scoring method in the industry. As such, the evaluation and reporting of risk can vary significantly from one organization to another. There is also limited data available to understand cyber risk profiles, including the maturity of an organization’s information security and privacy programs and residual risk. Program maturity and changes in security controls can significantly impact organizational cyber risk profiles, and subsequently cyber insurance premiums and coverage.

The new Willis-HITRUST platform will improve insurance coverage and premiums for healthcare organizations by:

  • Easing the process of securing cyber insurance, and improving consistency by leveraging an existing information privacy and security framework, the HITRUST CSF, a healthcare industry privacy and security framework and model implementation of the NIST Cybersecurity Framework.
  • Improving the accuracy of risk assessments by using an assurance methodology that incorporates the ability to score the effectiveness of the organization’s controls.
  • Supporting the identification and ranking of information security controls associated with cyber risk and the impact of any changes in scoring.
  • Rewarding organizations that can document and demonstrate effective information security programs related to insurable cyber risks.

Willis and HITRUST expect the products to be available by the end of 2015.

The CSF and the CSF Assurance program offer flexible implementation and management framework for healthcare information protection by providing a standardized way of scaling and tailoring security and privacy safeguards based on an organization’s specific risk factors, including cyber risk. The CSF and CSF Assurance program enable an “assess once, report many” approach, so organizations can implement one set of controls, and conduct an assessment that allows measurement and reporting for numerous purposes such as HIPAA, NIST Cybersecurity Framework, SOC 2, MARS-E or other standards and regulations.

HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has helped to develop programs to safeguard health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives.

Was this article valuable?

Here are more articles you may enjoy.