Think for a moment about the vast amount of clinical, financial and other personal data collected within healthcare information systems today. It’s not only sensitive information about individuals’ health conditions, it could also include their financial data or social security numbers — all in one location.


Authored by Brenton McKinney, Vice President of Security

The fact that healthcare information systems collect such a broad amount of individual’s data makes it a top target for hackers and other bad actors. The financial lure of health fraud, combined with the wide range of data accessible in one place, creates a key motivation. In fact, the Department of Homeland Security considers healthcare data a number one security target. They define it as “critical infrastructure.”

This means that data security threats will continue to evolve quickly — and data privacy and security regulations will attempt to keep pace. For health plans, meeting fast-changing regulatory requirements is a significant challenge in and of itself. Healthcare organizations must maintain HIPAA compliance and adhere to a variety of regulatory and statutory requirements, in addition to an increasing number of international requirements such as GDPR.

There are several security frameworks to help organizations meet these obligations, such as HITRUST, SOC, ISO, NIST, FedRAMP and others. Laws are typically written to spell out “what” security or privacy needs to be implemented rather than “how.” While that can be beneficial in some ways, it also leaves much open to interpretation. This is where choosing the right framework for your organization and industry can help to meet regulatory requirements.

In the highly regulated healthcare industry, organizations need an extremely responsive and effective security posture in place. Being able to manage ever-evolving threats and vulnerabilities is mission-critical. Managing risk as healthcare becomes more integrated and information is shared more frequently across systems, health plans, providers and other entities is vital to protecting the security of data and most importantly — patient privacy.

An organization’s ability to address these disparate security challenges can be strengthened with a few key areas by focusing on Preparing your organization using a systematic and authoritative framework, Responding to threats, and Recovering from successful attacks.

At Medecision, we chose to obtain HITRUST CSF Certified status for reasons such as these. Foremost, it aligns with our commitment to lead the industry in meeting the most rigorous standards and protocols available to secure our customers’ data, especially when stored in the cloud. In addition, it coalesces many federal, state, healthcare and cross-industry standards and regulations into one framework, with a prescriptive set of controls that are applied based on an organization’s scale and maturity level. This third-party verification of our security strategy is just one way that we work to instill confidence in the Medecision Aerial platform.


The reality is that most healthcare organizations are facing increased security threats. How they PrepareRespond, and Recover is what will set them apart from those who fall victim to attacks.

Get more insights on healthcare information security in the coming weeks. In Parts Two and Three of this blog series, we’ll cover essential steps to prepare for and respond to security breaches, plus discuss what having a HITRUST certified partner means for you.

Learn more about the standards put forth by the National Institute of Standards and Technology (NIST) and FedRAMP by visiting the following webpages:

Subscribe to our blog

Don't forget to share this post!