Standardizing Security Assessments in Healthcare Has a Long Way to Go

News | October 31st, 2023

In the healthcare industry, security assessments serve as comprehensive audits that document an organization's security protocols and workflows. These evaluations are particularly invaluable for a variety of critical operations, including internal compliance reviews, the onboarding of new acquisitions or contracts, vendor management, and post-data breach analyses. Ensuring patient data remains secure is crucial for any person or organization that processes or stores Protected Health Information (PHI) but the current, non-standard state of security assessments is frustrating for both healthcare providers and solutions providers alike and has contributed to a relatively slow adoption of digital solutions in healthcare. How can we standardize this process within the sector?

The current state of security assessments for digital health companies

Despite significant advancements in medical technology, the standardization of security assessments in healthcare remains a nascent field rife with inconsistencies. The disparity in protocols not only jeopardizes patient data but also undermines the integrity of healthcare systems. Security questionnaires are often based on self-attestation and the data collected can vary widely between organizations which means pertinent security information may be neglected. The inconsistencies between question sets, the often-lengthy nature of these assessments, and the frequency in which personnel are required to complete them leaves everyone involved with a sense of fatigue. Standardizing these assessments would allow healthcare provider organizations and vendors alike to allocate these efforts to other important projects and breathe a sigh of relief.

As a growing digital health company, Rimidi has completed dozens of security assessments. Assessments can vary widely in complexity, from succinct text documents featuring a handful of questions that can be completed in twenty minutes, to expansive ten-page spreadsheets filled with thousands of data fields that may require a month of effort to accurately complete. The questions are totally unique for each healthcare provider organization, which removes the ability to pull answers from a central data repository.

How can we overcome these cybersecurity assessment challenges?

Exploring effective solutions for standardizing security assessments is pivotal in enhancing the robustness and consistency of healthcare cybersecurity frameworks. There are several methods that the healthcare industry can implement to rectify the issues that exist due to the current method:

  • Adopt universal standards – Regulatory frameworks such as NIST and ISO provide up-to-date, universal standards that would allow organizations to pull reports based on the information that is required for the assessment.

  • Create a template library – Creating an industry-approved template library of questionnaires offers digital health companies like Rimidi and other solutions providers the ability to complete a document one time and reuse it whenever the need arises.

  • Collaborate with other companies - Forming alliances between healthcare vendors to establish best security practices.

  • Utilize Open-source tools: Developing industry approved, open-source assessment tools.

Standardizing security assessments will require a concerted effort from the entire industry. Luckily, businesses are beginning to realize that a change needs to be made and we are starting to see improvements. Rimidi is currently in the process of becoming both HITRUST and TX-RAMP certified. Imagine if we received a request for an assessment from a healthcare institution that wanted to use our software and we could pull a report and provide it to the requestor or use the information from their testing to populate a standardized, industry approved template? Not only would this confirm that the security controls are active and tested, but it would reduce the time spent completing these from hours to minutes and enable faster solution implementations from initial interest to go-live. Multiply that across the entire industry and thousands of hours would be saved which could cut costs and eliminate frustration.

If you are interested in Rimidi's software for Remote Patient Monitoring and chronic disease management and want to learn more about our cybersecurity measures, contact us today.