Cloud computing, mobile devices part of HITRUST's focus for 2011
The Health Information Trust Alliance (HITRUST) announced its plans to support the healthcare industry in 2011 and beyond with initiatives aimed at maintaining the comprehensiveness and relevance of the Common Security Framework (CSF) and CSF Assurance program.
HITRUST has identified a number of key areas, including cloud computing, data protection, health information exchanges (HIEs), mobile devices and authentication management, that it will focus on in 2011, in addition to making necessary updates relating to relevant federal and state regulations and security standards.
These updates and enhancements will influence not only the CSF and other HITRUST programs, but also the guidance offered to the industry, government agencies, software developers and hardware manufacturers. HITRUST will also work to ensure the CSF is being adopted by the entire industry with an emphasis on outpatient, long-term, ambulatory and home health provider organizations.
"From HITRUST's inception, Humana has helped shape and drive its vision to meet a critical need with a comprehensive framework that enables any organization to meet evolving security standards and regulations," said Jon Moore, chief information security officer, Humana Inc. "In just four years, HITRUST has enabled the healthcare industry's broad adoption of the CSF. We look forward to contributing to future programs that drive greater efficiencies in healthcare information security."
The CSF remains the de facto standard for information security in the healthcare industry, and HITRUST has seen during the past 12 months continued adoption of the CSF across the entire industry with adoption by hospitals at 62 percent and health plans above 500,000 members at 74 percent. HITRUST has also seen significant growth in participation in the CSF Assurance program as more organizations begin to assess their own security environments, many doing so to satisfy meaningful use requirements.
One of the added benefits from the increase in CSF assessments is access to accurate data on a broad set of information security aspects. Unlike historical reporting which was survey based, HITRUST is able to collect information directly from CSF assessments, thereby increasing the accuracy and granularity of the data collected. HITRUST will use the summary data to regularly publish content on various industry trends and insights.
In addition, the CSF Assurance program continues to be the most widely utilized program for assessing the security posture of business associates and managing third-party compliance. Organizations, including providers, insurers and service providers, have obtained CSF Certified status, demonstrating the industry's ability to meet the requirements and commitment to protecting health information.
The number of healthcare organizations requiring their business partners be assessed against the CSF has also been larger than expected, and HITRUST anticipates that trend will continue throughout 2011. In January 2011, 11,000 organizations received requests for CSF assessment reports.
"As a home health provider, we saw the value of adopting the CSF as a comprehensive security framework, but felt a few of the risk factors did not align with the environment of a home health organization," said Sanjeev Sah, information security officer, Amedisys. "We shared our feedback with HITRUST and were pleased to have HITRUST review and ultimately agree with our suggestions. We look forward to continued collaboration and helping to ensure the CSF addresses the needs of home health organizations."
The importance of industry participation from organizations such as Amedisys and others is the driving force behind the creation of HITRUST working groups that are charged with identifying and documenting enhancements to CSF controls as well as facilitating industry collaboration and recommendations.
Click on the next page to read about the four focus areas for 2011.
The focus of HITRUST working groups for 2011 includes:
Cloud Security Working Group – With the recent popularity and interest in cloud computing, there are many questions surrounding its security implications. HITRUST is committed to investigating and providing recommendations around how organizations can benefit from its savings and convenience, while appropriately understanding and managing risk. HITRUST will also make any updates to the CSF that are deemed appropriate.
"By collaborating with HITRUST, we are able to better understand the industry's expectations and concerns with regards to utilizing cloud computing services securely," said Dave Marchand, CTO Healthcare and Life Sciences Services, Dell. "We are excited by the opportunity to present organizations with recommendations that enable them to benefit from the new efficiencies and enhanced flexibility that a cloud delivery model offers. We are pleased to bring our in-depth experience with cloud computing to this effort as co-chair of the Cloud Security Working Group and are committed to helping identify changes to the CSF that would encompass the security controls required by these solutions."
Mobile Devices Working Group - While mobile devices have the potential to drastically improve productivity and efficiency across the industry, it is important to better understand the potential risk they pose to an otherwise secure environment and how best to employ them. By working with mobile device manufactures, application providers and healthcare organizations that are leading the way in mobile device implementation, HITRUST is committed to providing guidance on mobile device adoption and configuration, and updating the CSF as needed.
"Mobile devices hold great potential for increases in productivity, convenience and user satisfaction in the context of healthcare," said Mark Kadrich, principal enterprise security architect, Kaiser Permanente. "Addressing the challenges and implications to information security in a mobile setting is critical to protecting confidential patient and business data while enabling these game-changing capabilities. I am pleased to be co-chairing the HITRUST working group which aims to identify best practices associated with the policies, practices and tools needed to manage and support these devices."
Content Definition Working Group - HIPAA provides guidance on what constitutes protected health information (PHI); however, a healthcare organization faces a considerable challenge in accurately identifying PHI within the various data sets stored or transmitted by the organization. HITRUST will define a set of policies for identifying PHI within documents, emails, portable media, and other forms of electronic communications, and provide guidance on implementing the policies within various organization types.
HIE Working Group - HIEs have introduced a new and significant set of dynamics to the healthcare industry, and the diversity in size and focus of the participating organizations present a special set of challenges to security personnel. HITRUST will focus on securing HIEs as well as standardizing the requirements participating organizations must meet.
"HIE security is a challenging space and Medicity is thrilled that HITRUST, a nationally-recognized leader in healthcare information security, is addressing it," said John Overbaugh, CISSP, director of security at Medicity and a HITRUST CSF practitioner. "Medicity is pleased to bring our experience in HIE security to the table to collaborate with HITRUST in this process."
In addition to driving industry improvements through the working groups, HITRUST has been working on an initiative focused on the issues surrounding user authentication and identity management within the healthcare industry. With the greater adoption of the CSF and an increase in user authentication requirements, HITRUST became aware of a growing issue related to users authenticating to various systems, which involved end users being issued upward of 25 physical and 70 logical tokens for the systems or facilities they regularly access.
This user dissatisfaction coupled with the introduction of HIEs and electronic prescribing of controlled substances requiring authentication, led HITRUST to begin looking more than two years ago at how organizations could securely manage user identities without interfering with daily tasks and patient care. Great progress has been made in this area, and HITRUST will soon announce a specific model and recommendations for what continues to be a key focus area.
HITRUST has also made significant progress in the development of a solution to simplify and improve accuracy of the assessments conducted of small organizations, which are defined as having less than $25 million in annual revenue. In 2010, HITRUST recognized these organizations were not accurately assessing and reporting their information protection posture. This market segment poses a greater risk with regards to the protection of health information due to the growing connectivity with trading partners and HIEs and the often absence of dedicated and knowledgeable resources to stay current on the latest threats, exploits and security issues.
Providing additional documentation, manuals or guides is not a practical way to mitigate the issues as these organizations do not have the resources to stay current, nor is it practical to maintain the reference material given the ever changing information security environment. HITRUST's new self-assessment for small organizations addresses these challenges unique to small organizations with an easy-to-use, comprehensive and sophisticated vulnerability scanning capability, which ensures the results provided are complete and valuable for assessing an organization's security risk.
Another area of focus for HITRUST relating to small organizations is the offering of the necessary resources and assistance needed to remediate any gaps in their information security environment. As such, HITRUST is partnering with solution providers to help identify and package solutions specifically for small organizations.
With the focus identified for 2011 and beyond, and ongoing growth in adoption and areas of industry involvement, HITRUST is keeping pace with the ongoing and evolving information security needs of the healthcare industry, which has come to rely upon the CSF and CSF Assurance program. HITRUST, LLC will also be transitioning its legal structure to not-for-profit to better align with its role of fostering collaboration and providing much needed guidance to the industry. The CSF will remain available to qualified healthcare organizations at no charge.
"HITRUST is committed to serving the long-term needs of the healthcare industry and we can now focus on ensuring the durability and adaptability of these tools the industry has come to rely on," said Daniel Nutkis, chief executive officer, HITRUST. "The last few years have been focused on the development of the CSF and providing the education that goes along with the introduction of a comprehensive security framework. With the achievement of high adoption and confidence rates by organizations, we are now focusing our efforts to provide those organizations with the added tools and guidance they need to further enhance their security strategies."