The Health Information Trust Alliance (HITRUST) announced today a new component of the CSF Assurance program targeted at healthcare organizations with annual revenue less than $25 million. The new security assessment approach addresses the wide-scale inaccuracies found in assessments conducted by smaller organizations and extends the reach and value of the CSF Assurance program, the most widely used approach for documenting risk assessment information in the healthcare industry. The HITRUST CSF Assessment for Small Organizations is a practical and effective solution for organizations wanting to perform accurate assessments of their information security environment and address the requirements of meaningful use.
“Our experience shows that when small healthcare organizations are breached, it's not only their own environments that may be impacted, but potentially those of other organizations, such as hospitals, that they access and for which access information is fraudulently acquired as well”
According to HITRUST assessment data, the vast majority of smaller organizations, including more than 85 percent of U.S. physicians’ offices with fewer than 10 employees, do not have the security knowledge and devoted security personnel to perform meaningful use risk assessments and monitor and improve their security environments. The lack of current or adequate security protection for the large volume of electronic protected health information (ePHI) processed by this market segment compromises the integrity of the entire healthcare industry during a time of greater reliance upon electronic health record systems and increased adoption of health information exchanges and networks.
The CSF Assessment for Small Organizations is the result of HITRUST’s analysis of the market to identify the best techniques and methods for an automated, user-friendly solution that would increase the accuracy and comprehensiveness of assessment results and provide organizations with the information needed to address or seek the assistance they need.
“Our analysis shows smaller organizations often provide inaccurate or incomplete information when using self-assessment questionnaires to communicate the status of their security controls to third parties,” said Daniel Nutkis, Chief Executive Officer, HITRUST. “Organizations with limited staff are focused on running the day-to-day aspects of their business and must now also face meeting the requirements of meaningful use, all in an environment in which they often do not understand the significance and risks associated with conducting ineffective security assessments. Given the complexity of regulations and evolving vulnerabilities and threats, we believed that automating the identification of vulnerabilities both internally and externally was the only practical solution.”
Developed over an 18-month period in collaboration with nCircle, the leader in automated security and compliance auditing solutions, and leveraging the HITRUST Common Security Framework (CSF) and CSF Assurance program, the CSF Assessment for Small Organizations delivers a complete assessment of security risk and verification of security controls through a combination of a simple, forms-based questionnaire and automated internal and external vulnerability scans. The service, delivered through the HITRUST Assessment Portal and initially available to organizations with annual revenue less than $25 million, does not require any special skills, resources or additional hardware or software. A wizard-based process makes it possible for anyone, regardless of skill level, to provide the necessary data and receive accurate, prioritized information about network vulnerabilities and weaknesses along with information on how to fix problem areas.
The questionnaire and scan results are analyzed by HITRUST and incorporated into a HITRUST CSF Validated report, which can aid an organization in complying with the HITRUST CSF, addressing meaningful use, and meeting regulatory requirements such as HIPAA. The report also provides a consistent representation of risk exposure and benchmarking results against similar organizations. In addition to the assessment report, an organization will be provided with the detailed vulnerability scanning information collected during the assessment so it has the complete details on any gaps in its information protection environment and can address or seek assistance as appropriate.
“When HITRUST approached us, the ability to comprehensively and practically scan behind the firewall without installing software or appliances had never been done before,” said Abe Kleinfeld, President and Chief Executive Officer, nCircle. “nCircle’s experience with automated security and compliance auditing solutions combined with HITRUST’s unique requirements for assessing information security in small healthcare organizations, led us to develop a breakthrough in state-of-the-art security scanning. nCircle PureCloud, with its ability to eliminate firewall configuration changes and software or hardware deployment on a customer's internal network, is the perfect complement to the HITRUST solution. We look forward to working with HITRUST to continuously add new capabilities.”
The standard report, which is already accepted and understood by many organizations, can be used to meet the risk assessment requirements of HIPAA and meaningful use, and communicate an organization’s state of security to third parties, such as business associates and health information exchanges. The report can also be used, along with the scan results, to seek remediation assistance and solutions from third-party information security consultants and technology vendors. HITRUST is allowing organizations to run additional scans free of charge during the first 90 days following the initial scan in order to verify the status of their remediation efforts.