Security Matters for 340B


Over the last twelve months, more than 435 healthcare providers across the U.S. had breaches of unsecured protected health information. 73% were hacking/IT incidents with more than 27 million individuals affected. These numbers are according to the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, where HIPAA requires any breaches of over 500 individual records be reported.

HIPAA specifies a list of rules, or national standards that covered entities must follow to protect individuals’ electronic personal health information. However, HIPAA doesn’t specifically prescribe how those rules are implemented. For example, it doesn’t mandate that you use a particular encryption standard or set your passwords in a specific format. Instead, it’s up to each organization’s discretion on how to set those standards for themselves based on their unique circumstances.  There is an expectation, however, that implementations will be robust enough to provide adequate protection for personal health information.  Independent assessments by qualified security professionals ensure that organizations’ information security programs are sufficiently robust.

From HIPAA, ISO, NIST, to COBIT and more, information security assessments can be quite different regarding transparency, quality, consistency, rigor, and other factors. HITRUST CSF (Common Security Framework) is a certifiable security framework that scales according to the type, size, and regulatory requirements of an organization and its systems. It also incorporates elements from all the above security standards, verifying that a company complies with the strictest requirements with high-risk data.  HITRUST is considered by many to be the ‘gold standard’ in the health industry for HIPAA compliance.

Regardless of the security framework used, it is important to know that your company and suppliers have implemented a robust information security program that is validated by a qualified independent assessor.  This is not only to avoid the potentially devastating consequences of a breach, it is also the law. 


Verity has adopted HITRUST CSF as its primary security framework and has been HITRUST certified since 2017.

Todd Behrman is Vice President of Product and Technical Operations at Verity Solutions. For questions, please contact

Website | + posts