After months of rigorous preparation and hard work, Rackspace is now HITRUST certified, which means customers looking to secure electronic Protected Health Information can now rely on a verifiable set of standards and practices introduced by the Health Information Trust Alliance Common Security Framework for protecting electronic medical records.
The certification comes amid a rise in threats to medical data, including ransomware attacks against healthcare facilities and other institutions that store confidential patient information.
While these attacks are on the rise, many healthcare organizations are behind the curve on IT security. Taking advantage of the newly hardened HITRUST environment at Rackspace means organizations can continue to focus on what they do best: care for patients.
HITRUST certification encompasses all of the dedicated servers, storage, databases and networking solutions at Rackspace, so if you’re already one of our dedicated server customers, your environment is now HITRUST certified — at no extra cost.
The HITRUST framework was developed in 2007 with the goal of standardizing the way organizations protect electronic Protected Health Information. It goes beyond the requirements laid out in the Health Insurance Portability and Accountability Act (HIPAA) and provides organizations with a comprehensive, efficient and (most importantly) verifiable approach to regulatory compliance and risk management.
Why is HIPAA compliance not enough?
HIPAA was created more than 20 years ago as a legal framework for handling electronic medical data, but it never really had teeth. There’s no HIPAA body responsible for assessing and verifying an organization’s HIPAA compliance, and in turn, HIPAA compliance has become largely self-assessed.
Any organization can say it’s HIPAA compliant, but that simply means it has looked at the law and believes it is subscribing to it. What HITRUST offers is the opportunity to verify HIPAA compliance through a comprehensive and ongoing certification process.
This is obviously important for basic compliance and regulatory requirements, but in today’s world of increasing cyber crime, it’s even more critical.
Why do cyber criminals care about healthcare data?
Medical data has become an extremely attractive target for cyber criminals. Forget social security information or credit card numbers, if someone has your medical records, they have everything.
Less than a year ago, Hollywood Presbyterian Medical Center in Los Angeles was hit by a ransomware attack in which a hacker seized control of their computer systems, including all of their medical records, and only relinquished control after the hospital paid the hacker nearly $20,000.
While the financial fallout from that attack was relatively inconsequential, the precedent it set was hugely damaging. Hospitals and healthcare organizations everywhere became much larger targets overnight.
Ransomware attacks are on the rise, and the healthcare industry wasn’t built to defend against them. Add this lack of a traditional security focus to the new realities we face with cyber crime, and the type of hardened environment ensured by HITRUST certification becomes even more important.
The need for enhanced medical data security is recognized by others in the cloud security industry as well.
“As a leading provider of cloud-based security and content delivery network (CDN) services for the healthcare industry, Akamai recognizes the need for technology providers to invest in and follow the most stringent compliances and regulations for customers,” said Senior Director of Industry Marketing at Akamai Technologies, Ari Weil.
“HITRUST CSF certification bolsters Rackspace’s offering in the healthcare industry for organizations that want to leverage a certified dedicated environment but do not want to manage it themselves or take on the complexity of keeping certifications and audits up to date.”
As a longtime Rackspace partner, Weil said Akamai looks forward to continuing to work with Rackspace in the healthcare space, as well as many other industries that utilize managed services, to make it easier for organizations to innovate and employ fast, reliable and secure digital experiences.
How does HITRUST assess and verify an organization?
The HITRUST certification is made up of 19 specific domains, each of which has a number of controls tied directly to the size of the environment we want to certify. When we looked at our dedicated server environment, there were more than 300 in-scope controls, each of which had specific pieces of evidence, policies and standards and implementation maturity levels we had to attest to in order to get the sign-off for certification.
Before we even kicked off this effort, we were above passing in 17 of the 19 HITRUST domains, a direct result of the work we had already done with PCI compliance. It’s also a testament to how hardened and mature our environment already was.
Now that we’re certified, we’ll have to show that we’re continuing to adhere to the HITRUST standards and policies on an annual basis. Every two years we have to go back through the entire certification process.
It’s an ongoing certification, which is the mark of a quality certification. It’s not something you can bluff your way through and throw a stamp on. Even if you’re HIPAA compliant today, are you looking at specific controls in your environment that could change tomorrow if you did a large-scale infrastructure modification? These are things that have to be documented for HITRUST, which gives the certification added guardrails and ensures that those who are certified are adhering to it.
In the natural evolution of Rackspace, this is the next step we needed to take to provide even more Fanatical Support to our customers, particularly those in the healthcare sector.
It’s my hope that customers who are already using our dedicated servers or our storage, databases and networking solutions benefit from this new level of data protection, and that healthcare-centric organizations and businesses interested in protecting their ePHI or other medical data will engage with us for new, innovative solutions.
Visit Rackspace to find out more about our HITRUST certification, the protection it adds to our dedicated hosting environment and our plans to expand this certification in the near future.