HITRUST — and Banking? Why Certification Matters to More than Just Hospitals
Although the Health Information Trust Alliance’s certification (HITRUST CSF) started with medical payers, its relevance is beginning to reach across different markets.
In a world consumed with data privacy and security concerns unfolding alongside every industry’s digital transformation, organizations are looking for trustworthy benchmarks for themselves and their partners. In 2018, HITRUST may be it.
HITRUST is a not-for-profit organization focused on safeguarding sensitive information and managing information risk. Its certification is a framework intended to provide organizations with a “comprehensive, flexible and efficient approach to regulatory compliance and risk management” by meeting multiple regulations and standards — with HIPAA as the main one.
So why is a security standard geared toward HIPAA garnering attention in the financial sector? The simple answer: time.
As the needs of regional financial institutions change to support a broader means of connectivity to their audiences and engaging their customers, telephony is undergoing a fundamental overhaul industry-wide. Today every application player is in the telephony space, so there’s less allegiance to the traditional players and more focus on security as the market differentiator.
For regional and community banks, which are the bulk of the financial institutions in North America, selecting a new vendor or partner involves an in-depth review of the offering and its related landscape — to ensure the organization is making the best quality choice. However, these lean operations often don’t have the internal resources to separately review an artificial intelligence (AI) solution, voice technology or multimedia connection, and then do a security review on each one.
A HITRUST certification means that the organization in question (including its products) has already undergone a rigorous scrutinizing — on par with another highly regulated industry, healthcare — and are a verified-secure partner whose technology the bank could potentially leverage for its digital transformation without fear, hesitation or time spent on an additional internal review.
Today, digital banking involves a lot more than just an online web portal; it also incorporates automated transfers via chatbots over text, video tellers in physical branches as well as virtual banking appointments and emerging deposit technology. And the more points-of-contact customers come to expect from their banks, the more types of technology those banks will need to deploy — and, potentially, the more tech vendors they’ll have to review. In this evolving ecosystem, it makes sense that HITRUST certification would start to become significant for those in financial services; even though it’s not specifically geared toward that industry.
This crossover also points to a broader need for heightened security standards and benchmarks in all industries, especially in the age of data privacy and mitigating attacks. Unfortunately, many companies develop technology for evolving models of communication and then add on a security element at the end, rather than baking it into the design from the start. That model is no longer enough to adequately ensure security, so in the meantime, highly regulated industries (like healthcare and banking) need an overarching standard they can look to in relation to the increasing number of technology partnerships they’re employing. Healthcare has long had HIPAA compliance, and in recent decades the HITRUST certification. Now banking can look to the HITRUST benchmark as well to help quickly decipher what it means to create a “secure” digital banking solution.