Call: 860-258-3470

Operational Changes Underway as Part of HITRUST Certification


In my last post, I introduced an important initiative that Starling is undertaking to become certified by HITRUST. I wanted to share some additional details provided by NPS about why this important and what you can expect in terms of operational changes.

About HITRUST
  • HITRUST is considered the “gold standard” of security as it incorporates a number of the leading security standards such as HIPAA and PCI compliancy.
  • HITRUST requires organizations to validate they have successfully implemented policies and procedures that meet HITRUST’s requirements.  This is accomplished by constantly monitoring security on an ongoing basis and managing change by updating and keeping policies current. 
  • Companies need to know where PHI (patient health information) enters and exits their entire operations.
Why Starling is Becoming HITRUST Certified
  • A designation that makes Starling and NPS a differentiator in the market since security is ongoing priority for our organizations.
  • As Starling continues to grow insurance companies are now requesting this certification or possibly refuse to sign Business Associate Agreements (BAAs) that can eventually negatively impact physician reimbursement.
Requirements to Become HITRUST Certified
  • Policies and procedures need to be written to address HITRUST requirements as well as attest these are actually implemented, measure and managed.
  • Two phases – self-assessment (completed by NPS) and validation (tentatively scheduled for mid-September).
  • The validation phase requires a certified HITRUST partner.  NPS engaged the services of Beyond, LLC, which will be responsible to visit and interview staff to determine if Starling is meeting those standards.
    • This could include some of the following:
      • When you leave your work area do you clean your desk of patient information and lock your computer?
      • Are screen darkeners installed in high traffic areas?
      • Is paper disposed of in “shred-it” bins and kept locked?
      • Are printouts removed promptly from printers, fax machines, etc.? 
      • Are user-ids and passwords written on sticky notes and left on monitors or under keyboards?
Operational Changes

The following upcoming changes are in the process of being implemented company wide with anticipated target date of mid September.

  • Password Management (Network Password (first signing onto the computer), Allscripts and GE – possibly SRS) – all employees are required to change passwords on a regular basis as defined by HITRUST as:
    • Minimum length of 8 characters.
    • Must use 3 of 4 complexity characters (Upper/lower case letter, number and/or special character).
    • Passwords must be changed every 90 days.
    • Passwords cannot be reused for at least 6 generations or 18 months.
    • A few considerations:
      • Please keep in mind that currently the network password, Allscripts and GE (and SRS) do not automatically synchronize and will require everyone to change within each application.
      • Mobile phones and iPads do not automatically update and typically will prompt a user when they need to update with the new password.
    • Time out session due to inactivity.
      • Computers (PCs, Laptops, etc.) will automatically lock after 30 minutes of inactivity.
        • When staff returns to their desk they would need to enter their network password to unlock the computer.
      • Mobile Device Password
        • Request that all mobile users select a PIN and/or thumb recognition to unlock device.
        • NPS is currently reviewing technology that will automatically push security settings to these devices.

Additional activities and programs are also in consideration for down the road including:

  • A security awareness program will be developed to include annual HIPAA training, Phishing (training that educates everyone on identifying suspicious email links and avoid clicking) and monthly security email alerts.
  • Review feasibility/cost to leverage badge technology for provider access to computer systems.

Thank you for your help as we take this important step as an organization.