HITRUST Version 11 Makes Certification Even More Compelling for Biotech Firms

Safeguarding sensitive health and biological information is mission-critical for biotech firms. And failing to protect this data can lead to severe consequences such as reputational harm, legal liability, and financial losses.

The good news is that achieving HITRUST certification is a great way to ensure that your sensitive information is secure while letting your customers know that you take data security and privacy seriously. The recent release of HITRUST CSF version 11 (v11) significantly streamlines the HITRUST certification process, enabling organizations to achieve the same level of assurance with less effort.

In this blog post we’ll explain how recent biotech industry trends have increased the importance of becoming HITRUST certified and provide background on the HITRUST v11 release and how it streamlines the certification process.

How Biotech Trends Have Increased Risks 

In recent years, the biotech sector has experienced a rapid shift towards next-generation cloud computing technology, which has enabled biotechnology firms to leverage artificial intelligence (AI) and machine learning for big data analysis. AI-enhanced data analysis applications enable biopharma researchers to extract value from large data sets by identifying patterns that lead to the discovery of new drugs and treatments. The latest innovations in biotech, including personalized treatment, gene therapy, synthetic biology, and tissue engineering, have largely been driven by the adoption of advanced technologies such as AI, big data analysis, and cloud computing.

While the adoption of next generation computing technology and analytics has enabled biotech firms to dramatically improve the outcomes of research and development efforts and streamline operations, it has also introduced new and complex risks to organizations in the space. Malicious actors recognize the value and significance of health and biological data, which makes the biotech space a lucrative target for attacks. In an industry where data and intellectual property are as good as gold, cyberattacks such as ransomware and data breaches are significant risks to stakeholders of biotech firms, and cyberattacks targeting the healthcare and biotech space continue to increase in frequency despite the adoption of next generation security-centric technology. 

How Can HITRUST Help?

For an industry burdened with an extremely complex regulatory landscape, where digital data and information are highly valuable assets, and information technology environments are more nuanced than ever before, achieving a strong cybersecurity program to defend against threats, while also maintaining compliance with several distinct regulatory frameworks, is a remarkable challenge for startups and mature organizations alike. HITRUST is a cybersecurity framework designed to be used as the gold standard for organizations handling health-related data. HITRUST has a unique approach to managing data protection, information risk management, and regulatory compliance, and it is globally recognized as one of the only comprehensive cybersecurity frameworks for the healthcare sector. Below we discuss three ways that businesses in the biotech sector can benefit from becoming HITRUST certified.

Demonstrating Cybersecurity Risk Management 

• According to the HHS, there were 239.4 million attempted cyberattacks in the healthcare and biotech space in 2020, with an average of 816 attempted attacks per endpoint, which is a 9,851% increase from the previous year.³
• The IBM Data Breach Report⁵ in 2021 revealed that the pharmaceutical industry had the third highest average total cost for data breach incidents, with an average cost of $5.04 million. The industry with the most expensive average cost for a data breach was healthcare, with an average of $9.23 million.
• In 2019, the pharmaceutical industry spent $83 billion on the research and development of new drugs, and the expected cost of developing a new drug can range between $1-2 billion dollars according to the congressional budget office¹. In the first quarter of 2021, a record-breaking high of $7.1 billion dollars was raised by biotech ventures in the form of private financing², demonstrating that investors are more eager than ever to fund new biotech ventures and invest in established ones.
• The HITRUST Cybersecurity Framework incorporates a comprehensive risk management program, which can be used to quantify an organization’s risk posture for shareholders and potential investors. Having a HITRUST certification demonstrates to key stakeholders that your biotech firm is maintaining an excellent information protection program and managing cybersecurity risks appropriately. Potential investors and current shareholders want to know that their assets are being defended and managed and being HITRUST certified is a great way to communicate that.

Enhancing Third-Party Relationships and Reputation

• Business partners, including payers, hospitals, and other third parties may require you to undergo a third-party review as a form of due diligence to ensure that your organization maintains information security to an adequate level. Some business partners may even require demonstration of ISO 27001 compliance, or adherence to the NIST 800-171 standard before engaging in a relationship.
• On the other side of the equation, third parties that conduct business with your biotech firm, particularly IT service providers, can introduce third-party risks that may not be visible to stakeholders. Even if your business maintains effective information protection controls internally, third parties you exchange data with can put that data in jeopardy if your third-party risk is not managed properly. Adopting HITRUST will result in a comprehensive third-party risk management program being implemented in your organization and integrated with your policies and procedures, which improves stakeholder confidence in third-party relationships.

• Becoming HITRUST Certified will enable your organization to reduce third-party reviews and friction in forming new partnerships. HITRUST satisfies elements of ISO 27001, NIST 800-53, 800-171, and HIPAA; it is the most comprehensive cybersecurity framework available to the biopharma sector. Being HITRUST certified allows you to avoid the arduous process of providing security documentation as it demonstrates that a comprehensive information protection program has been implemented. You can focus on creating key partnerships knowing that your partners have trust and confidence in your cybersecurity program.
• In the digital age, consumers are more aware and vigilant about their privacy and security than ever before. If your firm interfaces directly with patients or conducts clinical trials, demonstrating compliance with HITRUST can send a message to your customers and research participants that your business is dedicated to actively protecting and securing their private information, which will improve your brand’s reputation and increase people’s willingness to share information with you.

Maintaining and Maturing Organizational Compliance

• The biotech industry is perhaps one of the most regulated industries; understanding relevant compliance requirements and implementing the necessary documentation and controls is one of the greatest challenges faced by the industry today.
• Biotechnology platforms, including gene editing platforms, remote patient monitoring solutions, and AI-assisted diagnostic platforms, have the potential to interact with or process Protected Healthcare Information (PHI). Improper handling or disclosure of PHI can constitute a breach of HIPAA, which can result in serious fines and reputation damage.
• Other regulatory factors include Good Laboratory Practices, Good Clinical Practice, and Good Manufacturing Practices (GxPs) and Quality Management System requirements, which can introduce complexity to change management processes for information systems.
• The HITRUST cybersecurity framework can be used to maintain compliance with 21 CFR Part 11, HIPAA, ISO 27001, and more.
• HITRUST can be used to develop a mature information protection program, align the information protection program with regulatory and compliance factors, and streamline operations with a well-defined change management process that ensures compliance every step of the way. Adopting the HITRUST cybersecurity framework will enable your biotech venture to have flexibility and adaptability to the latest trends in technology, while ensuring that security and compliance are maintained.

What’s Changing with HITRUST CSF v11?

On January 19, 2023, HITRUST announced the release of HITRUST CSF version 11 to “improve mitigations against evolving cyber threats, broaden the coverage of authoritative sources, and streamline the journey to higher levels of assurance.” In addition to addressing emerging threats, this major update to HITRUST CSF reduces redundancies and streamlines processes allowing organizations to achieve the same level of assurance with less effort. The HITRUST v11 changes can reduce certification efforts by up to 45%. 

Below is a summary of the most significant changes that were made with HITRUST v11.

HITRUST CSF v11: Delivers More Efficiency; Cyber Threat Relevance

Threat-Adaptive and Traversable Assessment Portfolio

The HITRUST CSF assessment portfolio has been consolidated and aligned so that a single approach covers broad assurance needs for different risk levels and compliance requirements with greater assurance reliability than other assessment options. All HITRUST assessments are now subsets (or supersets) of each other, which allows organizations to reuse the work in lower-level HITRUST assessments to progressively achieve higher assurances by sharing common control requirements and inheritance. 

The assessment portfolio changes introduced with v11 are summarized below.

Overview of HITRUST CSF v11 Portfolio Changes

Assessment Types

Three assessment types are available with HITRUST CSF v11 to accommodate organizations with varying levels of risk and to ensure that the level of effort required for assessment and certification matches the level of assurance needed. Here’s a summary of these assessment types:

HITRUST CSF v11 Assessment Types

For a more detailed review of the HITRUST v11 changes, check out our blog post HITRUST® CSF Version 11 Addresses Emerging Cyber Threats While Reducing Certification Efforts by up to 45%

HITRUST Certification is More Compelling Than Ever

With biotech industry trends continuing to increase the urgency of safeguarding your health and biological data and the streamlined certification and strengthened security introduced with v11, the case for HITRUST certification is more compelling than ever.

Additional Resources

Below are additional resources that provide a deeper dive on the topics covered in this blog post:

• HITRUST CSF v11 Announcement
• Tevora Selected for the 2022 HITRUST Assessor Council
• HITRUST® CSF Version 11 Addresses Emerging Cyber Threats While Reducing Certification Efforts by up to 45%
• HITRUST i1—HITRUST Significantly Streamlines i1 Assessments with Version 11
• Webinar: HITRUST i1—Keys to Certification

Tevora Can Help

If you have questions about HITRUST CSF v11, or would like help bringing your organization into compliance, our team of experienced HITRUST and biotech security experts can help. Just give us a call at (833) 292-1609 or email us at sales@tevora.com.

Links

1: https://www.cbo.gov/system/files/2021-04/57025-Rx-RnD.pdf

2: https://www.evaluate.com/vantage/articles/data-insights/venture-financing/biotech-venture-financing-starts-year-bang

3: https://www.hhs.gov/sites/default/files/hph-cyberthreats-to-biotechnology.pdf

4: https://www.complianceonline.com/resources/biotechnology-it-regulatory-compliance.html

5: https://www.ibm.com/security/data-breach

6: https://www.agilent.com/cs/library/primers/public/5991-5700EN.pdf