P&C the November 2024 issue

Certified Cybersecurity

HITRUST certification can give small to medium-sized businesses peace of mind that their employee data is safe.
By Martha George Posted on October 31, 2024

According to a study by Cybersecurity Ventures, a cyber attack occurred every 39 seconds in 2023 internationally, with the overall cost of cyber crime hitting $8 trillion. Total annual cost is predicted to reach $10.5 trillion by 2025. This is particularly critical for benefits administration data, which involves collecting extensive amounts of sensitive employee information.

For small to medium-sized businesses (SMBs), the impact of a breach is profound, undermining daily operations and destabilizing financial integrity, employee morale, and client relations. With so much at stake, implementing security at every touchpoint is crucial, extending to HR operations, including benefits administration, which is especially vulnerable due to the sensitive nature of the data involved.

SMBs can take many steps to safeguard operations, including assessing their current security posture, regularly reviewing and updating security measures, and training employees on cyber hygiene. Another measure is HITRUST Common Security Framework (CSF) certification.

Escalating Threat Landscape

It is no longer a question of “if” but “when” a bad actor will strike and how your business will recover quickly. The World Economic Forum notes that the network of cyber criminals is abuzz with knowledge sharing, bringing more criminals into the mix by lowering the cost and skill level needed to be an effective attacker.

SMBs often have limited resources compared to large enterprises, so their IT teams are stretched thin. This turns securing their data against relentless cyber criminals into an uphill battle. The financial implications alone are staggering, with IBM’s 2024 Cost of a Data Breach report indicating that SMBs can face costs of up to $4.88 million per breach.

As SMBs contract services to manage their HR processes, they must be certain that high-security standards are being met at every touchpoint where sensitive employee data is handled. HITRUST CSF certification ensures the partner service handling this data meets high-security standards, providing a comprehensive framework for managing and protecting sensitive benefits information during eligibility and enrollment.

Understanding HITRUST

HITRUST certification is managed by the HITRUST Alliance, an organization established in 2007. The certification program is designed to assist organizations in demonstrating compliance with various regulatory and industry standards for data security.

To achieve HITRUST certification, a company must undergo a thorough evaluation of its information security program. An assessor performs tests to understand an organization’s flow of data, including protected health information, financial data, and other critical business information, between systems. This readiness assessment documents any potential gaps in need of remediation before validated assessment. A final assessment is submitted to the HITRUST Alliance for approval and official certification.

It is no longer a question of “if” but “when” a bad actor will strike and how your business will recover quickly.

Depending on the complexity of the organization’s operations, obtaining HITRUST certification can take from several months to a year, and the costs can vary significantly, often ranging from tens to hundreds of thousands of dollars. Once certified, organizations must be recertified every two years to ensure continued compliance with evolving standards.

By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, this certification helps organizations ensure a comprehensive and flexible framework of prescriptive and scalable security controls. The certification combines best-in-class standards from the Health Insurance Portability and Accountability Act, HITECH Act, National Institute of Standards and Technology, Control Objectives for Information and Related Technologies, and other frameworks, ensuring the highest standards of information protection requirements are met when accessing or storing sensitive data.

Benefits for SMBs

HITRUST certification provides a trusted framework for SMBs to enhance data security and streamline compliance in the benefits administration process.

  • Simplifying compliance: HITRUST certification ensures adherence to various regulatory requirements, simplifying compliance efforts and saving time and resources.
  • Targeted controls: HITRUST certification helps organizations identify the most relevant controls from thousands of existing frameworks, making implementation less overwhelming and confusing.
  • Partnership with experts: For SMBs that might not have a dedicated IT department, partnering with a HITRUST-certified vendor provides access to a team of experts with the knowledge and experience to implement and maintain stringent security protocols, alleviating some of the strain and cost associated with security.
  • Year-over-year improvement: Recertification confirms that systems and processes are up to date with the latest security standards and evolving threats, helping SMBs stay ahead of cybercriminals.

Cyber threats are a constant concern for all businesses. SMBs cannot afford to let data security fall by the wayside. Prioritizing and protecting sensitive information goes hand in hand with protecting your reputation, income, and valued employees. HITRUST certified-systems provide a layer of guidance and defense that simplifies compliance, boosts security posture, and offers invaluable peace of mind in a time when everyone is at risk. By partnering with HITRUST-certified vendors and implementing targeted controls, SMBs can navigate the complexities of data security, safeguard their clients and teams, and focus on core business operations with confidence.

Martha George Privacy Officer, Vimly Benefit Solutions. Read More

More in P&C

Risky Business
P&C Risky Business
RiskScan 2024 identifies what buyers and sellers in the insurance industry are w...
Sponsored By Munich Re
P&C When Disaster Knocks
A continuous series of natural catastrophes around the United States might final...
Business Interruption Goes Digital
P&C Business Interruption Goes Digital
Brokers have long worked to help ensure their clients are covered for unexpected...
Sponsored By Ryan Specialty