As part of the Civitas Networks for Health 2022 Annual Conference, a Collaboration with the DirectTrust Summit, Kathryn Ayers Wickenhauser, DirectTrust Director of Communications, sat down with Lee Barrett Executive Director and CEO of Electronic Health Network Accreditation Commission (EHNAC), Michael Parisi, Vice President of Adoption of HITRUST, and Scott Stuewe, President and CEO of DirectTrust to learn how they facilitate trust through independent accreditation programs.

To get started, we learn a little more about each organization’s role and focus in facilitating trust. As a compliance partner of accredited organizations, EHNAC helps manage trust in areas like privacy and cyber security, while assuring all stakeholders are confident in their work.

HITRUST is in the business of risk management, helping organizations address common security and privacy challenges in the most efficient way possible. They set standards for what organizations should implement and align to in order to provide the highest level of reliable and transparent trust, as it relates to information security.

DirectTrust focuses on trust that’s required for successful healthcare patient exchange. They do this on the technical side through frameworks, as well as independent certifications of organizations that assess privacy and security capabilities, like EHNAC and HITRUST.

We first talk about the value of independent certifications and learn more about their requirements. Michael at HITRUST believes independent certifications have a higher level of reliability. It’s important to have independent layers of quality assurance and he’s seen organizations require these kinds of assessments. This third-party approach also saves organizations time. He says it creates an overall more efficient ecosystem so we can spend more time on care delivery.

Lee says regulations (for example the Health Insurance Portability and Accountability Act of 1996 (HIPAA)), has raised the bar across the industry for recognizing security practices. This includes work at the state and federal level – they’re all about mitigating risk. To validate Michael’s point, many organizations have established third- party assurance requirements, so any organization they work with or those that do business on their behalf must go through accreditation (like HITRUST or EHNAC) to guarantee they’re operating with a low level of risk.

DirectTrust depends on knowing that its community can trust each other, says Scott. There’s a requirement to do this in certain circumstances and obligations organizations have within this industry to establish trust, but that’s not the only reason these accreditations are sought out.

“Frequently this is also just seen as a differentiator for folks in the marketplace. So people will pursue independent certifications as a way of saying, ‘We care about these things as much as we care about you, our clients and customers.’ So sometimes it’s a requirement [and] sometimes it’s frankly a good thing to do from a business point of view.” – Scott

We go on to discuss the importance of relationships within the healthcare community – like the relationship between EHNAC, HITRUST and DirectTrust.

Scott reflets on his long-standing relationship with Lee that goes back to the very beginning of DirectTrust. The two worked together to create the criteria associated with accrediting Health Information Service Providers (HISPs), Certificate Authorities (CAs), and Registration Authorities (RAs). There’s an increasing number of organizations that are required to go through HITRUST accreditation, so DirectTrust accepts HITRUST as part of their own accreditation process.  As a result of these relationships, DirectTrust accreditations require privacy and security from either EHNAC or HITRUST.

We learn EHNAC and HITRUST work closely to compliment their partnership by leveraging their independent frameworks and healthcare stakeholder criteria. Together, they created the Trusted Network Accreditation Program (TNAP).

HITRUST works with many players in the industry with an “arms-open approach.” Michael says they’re constantly collaborating with partners to make sure programs, processes and frameworks meet their needs.

There’s a lot of talk around policy and criteria used to assess the work being done in the healthcare space. We transition to spend time learning the difference between the two.

Scott starts off by explaining how DirectTrust develops policies in their workgroups that establish a set of rules around how things are going to work (like their HISP policy). The difference, he says, is these policies aren’t a way to assess capabilities, they’re just the polices themselves. An independent assessment of the criteria provides confidence that these policies are in fact compliant.

Michael chimes in to say not all assessments are created equal. If they don’t start with policy, they could be misleading as far as the level of assurance they’re actually providing. It’s important that assurance mechanisms align with the policy you’re looking to enforce. He thinks it’ll be interesting to see the flow-down procedures. For example, thinking about how we arm the qualified health information networks (QHINs) with a mechanism for which they understand the policy, and how to enforce that within their participants. He says we can count on HITRUST, EHNAC and DirectTrust to be involved in that work.

We ask Lee to go into more detail about how TNAP is tied to the Trusted Exchange Framework and Common Agreement (TEFCA). He starts by telling us that TEFCA has set out policy and a common agreement, as well as a set of technical frameworks for entities that are going to be QHINs. The coordination agency, The Sequoia Project, has announced a security standard operation procedure. This takes the policy and operationalizes it. The TNAP component aligns with the common agreement and technical framework, so if a protentional QHIN wants to go through this accreditation, they’ll go through the TNAP component before they apply to the Recognized Coordinating Entity (RCE) to complete the official accreditation.

Even with all the privacy and security across the industry today, we still hear about breaches and security mistakes. We ask our three experts for advice on helping reduce the risk for security breaches.

Michael starts by recognizing it’s hard to understand what business partners are doing. The only way to gain appropriate level of insight into those relationships is by leveraging independent third-party assurance and accreditations.

Lee echoes the need for third-party assessments and follows Michael’s comment by recommending annual risk assessments, inventory checks, and patch management to make sure all updates happen across the network in order to limit the risk for cyberattack. He also strongly suggests training all staff on best practices around cyber security (like creating strong passwords).

Scott says when it comes to healthcare communication, making sure you have secure mechanisms is important, like Direct Secure Messaging. He also says regulators need to maintain a high level of trust around technical security. People are always comparing technical security with convenience. Convenience is important, but not at the expense of secure communications.

To wrap up our conversation, Lee starts with his final thoughts and advice. He says make sure you have trusted parties and infrastructures in place within your organization. Go through third-party certification to provide assurance to yourself and business partners.

Michael’s advice is to try to implement assessments within organizations, and look for reliable certifications and accreditations. Don’t be fooled by those out there that won’t give you the highest level of assurance. Choose wisely when making those investments.

Scott brings us full circle and reminds us who’s really at the center of all this work. He says to remember the end goal – patients and their access to quality care. Security threats can hinder quality of care and create gaps or loss of services. At the end of the day, we do all this work and innovation to provide a better healthcare experience for patients and communities who rely on a secure, stable healthcare system.

Make sure to check out this On Demand session “Facilitating Trust in Interoperability and Health Information Exchange” through the conference website to hear from these speakers themselves about the importance of third-party certification and accreditation!

This post was contributed by Alyssa Foggia-Hamm.