Enter Your Email Address to Receive a
Copy of MedicExhange Member Demograhpics

Common Security Framework (CSF), launched by the the Health Information Trust Alliance (HITRUST), is the first IT security control framework developed explicitly for healthcare information.

With the dramatic rise in breaches, theft of patient health data and the increase in regulatory requirements such as those mandated by the American Recovery and Reinvestment Act of 2009 - healthcare organizations and their business partners are now under intense pressure and scrutiny regarding security and privacy. But without a fundamental change in approach the industry will continue to see inconsistencies in the interpretation of regulations, inefficiencies and unacceptably high costs in the exchange of health information, and lagging adoption of standards (such as HIPAA) that have plagued the protection of health information technology in this complex market.

To address this “implementation” gap, the Health Information Trust Alliance (HITRUST) representing the healthcare industry spectrum has unveiled the Common Security Framework (CSF) on March 2, 2009 in San Francisco, California.

The CSF, which represents an 18-month effort led by a full-time team and tens of thousands of hours from healthcare, professional services and information technology organizations, is the first IT security control framework developed explicitly for healthcare information. This prescriptive and certifiable framework is the only approach available that makes it cost effective and practical for organizations of any type and size – scaling from private practices, hospitals and health plan providers to pharmacies, pharmaceutical manufacturers, data exchanges and clearing houses – to implement security programs in an appropriate risk-based and consistent way. The CSF will also help in determining compliance against the myriad of business partner requirements as well as the numerous evolving state and federal regulations and industry standards. The CSF cross-references and harmonizes regulations such as The American Recovery and Reinvestment Act of 2009 and the Protection of Personal Information of Residents of the Commonwealth of Massachusetts as well as nationally and globally recognized standards such as ISO, NIST, COBIT, HIPAA and PCI.

“2009 will be a turning point for information security in the healthcare industry – when organizations will begin implementing the framework they have spent the last 18 months developing and create a cascading effect that will impact and benefit the entire healthcare ecosystem,” said Daniel Nutkis, CEO, HITRUST.

HITRUST CSF Delivered as a Service via Industry’s First Online Community: HITRUST Central

HITRUST also announced that the CSF will be delivered as a service through the new online community, HITRUST Central™. HITRUST Central is the primary resource for healthcare IT security and compliance professionals to access the CSF and self-assessment tools. This online service also offers professional networks to share comprehensive CSF knowledge and best practices through forums and exchanges, understand industry issues and events through authoritative blogs, and download documentation and training materials.

HITRUST Central will also provide important implementation support such as how to use Alternate Controls - an innovative approach to allow for the temporary adoption of standardized short- and long-term compensating strategies for systems that cannot meet the CSF’s requirements; and Application Security Packs – which address the lack of detailed information for the design, configuration and implementation of applications such as health information management and electronic medical record systems.

HITRUST also outlined other key elements of its overarching 2009 Security Services Architecture, including Certification, Accreditation and Training processes as well as Reporting Exchanges to significantly simplify how organizations report and track compliance with regulatory and business partner requirements - all of which will be made available through HITRUST Central this year.

A broad range of organizations will announce their application security packs, third-party services around HITRUST certification, and contributions to the HITRUST Central community – including Accenture, Archer Technologies, BearingPoint, Cisco Systems, McKesson Corporation, PricewaterhouseCoopers, VeriSign, and others.

Practical Applications of the HITRUST CSF

Below are just a few examples of how the HITRUST CSF will be applied throughout the healthcare system to enhance security, reduce costs and comply with business, government and industry standards and regulations:
• Hospitals and healthcare providers will use the framework to determine how physicians gain secure and timely access to patient records both onsite and remotely
• Health plan providers will use the framework to securely exchange patient data with physicians as well as provide and protect online access to patient medical records and financial data
• Data exchanges will use the framework to standardize expectations among many different business partners - each with their own set of rules and regulations concerning data security - on a single certification benchmark and reporting process
• Pharmacies will use the framework as a tool to align expectations and practices around
common security controls
• Device manufacturers will use the framework to level set expectations with their hospital and healthcare provider customers to improve the way security controls are implemented for their medical systems
• Technology vendors providing Health Information Management Systems and Electronic Medical Records Systems will use the framework to design standardized security capabilities into their products to appropriately protect health information accessed on those systems
• Service Providers and professional services firms will use the framework to help their clients adopt security best practices that are tailored for the healthcare industry; for example as a basis for services such as security assessments, policy definition, solution implementation and certifications

Availability and Pricing

The HITRUST CSF version 2009 and HITRUST Central are available immediately, starting at $1,875 for a 5-user license and increasing depending upon organization size. To register for HITRUST Central and to gain access to HITRUST CSF, please visit www.hitrustcentral.net.

Source: Health Information Trust Alliance