An effort to create a common security framework for the health care industry is making progress.
The Health Information Trust Alliance (HITRUST), a private company working with healthcare organizations, professional services firms, liability insurers and others to develop the framework, said the industry can expect to see a finished product by January.
HITRUST officially launched last December with the goal of establishing trust in the health care industry with regards to electronic information, said HITRUST CEO Daniel Nutkis. The effort is led by an executive council that includes CVS Caremark Corp., Johnson & Johnson Health Care Systems Inc., Humana Inc., Hospital Corporation of America and Cisco Systems Inc.
Organizers say the HITRUST CSF will meet a pressing need in the industry. Health care organizations are dealing with multiple standards and regulations, including HIPAA, which isn't specific in its security requirements. They're dealing with internal and external auditors, underwriters and increased demands from business partners to prove they are secure. The CSF leverages existing standards but will provide specific guidance to organizations of all sizes, Nutkis said.
"They will have some prescriptive guidance on what systems they should purchase and what procedures they should implement," he said. "There's no more ambiguity."
In a survey of 150 health care IT security executives commissioned earlier this year by HITRUST, 85% supported creation of a common set of standards for the industry. Fifty-five percent said they're frustrated about the lack of standards for HIPAA compliance.
The CSF has three components: a standards and regulations cross-reference matrix, a readiness assessment toolkit, and an information security implementation manual, which uses ISO/IEC 27001:2005 and 27002:2005 as its foundation and is scalable to the size and type of an organization. The cost to license CSF will be $8,500.
HITRUST envisions a certification program similar to the Payment Card Industry Data Security Standard (PCI DSS), and plans to accredit auditors for the certification.
"An organization gets one person to come in and assess and another to remediate and they think they're in good shape. Then they get an internal audit that says one thing and an external audit that says another," Nutkis said. "Let's give them the ability to be certified so they get the stamp that they've taken all the necessary steps to protect themselves."
Joseph Granneman, CTO/CSO of Rockford Health System in Rockford, Ill., said the HITRUST CSF "is a great idea but the problem is that so many hospitals haven't even begun looking at information security or HIPAA."
Khalid Kark, principal analyst at Forrester Research Inc., said HITRUST's effort is good, but he's uncertain how well it will be implemented. Generally, organizations aren't likely to follow a particular framework without a compelling reason. The situation may be a little different in health care where business partners are requiring organizations to have a certain level of security, and HIPAA only provides high-level guidance, he said.
While the HITRUST CSF would help provide specific steps for data protection, larger organizations considering a security framework likely have already implemented ISO, while smaller organizations would need a significant reason to implement CSF, he said.
"A regional hospital chain, those types of companies, aren't as mature and don't have as much money and frankly, security isn't really a priority for them and I don't think this framework will make it a priority for them," Kark said. "The approach is right, I'm just a little skeptical on the acceptance of it as a standard across the industry because many health care companies are relatively small."
HITRUST is working to provide its CSF and related education and training at no cost to smaller organizations, Nutkis said.
Jeff Pentz, associate IT director of the Health Center at the University of Georgia, said the HITRUST CSF has potential to be valuable by providing prescriptive and detailed solutions for properly securing health information. But cost will be a factor for the framework's adoption in the industry, he added.
"If there is a significant membership, licensing, and/or certification fees required for an entity to access the details of the CSF, then many entities may choose not to participate," he said.