Security solution providers can leverage the Health Information Trust Alliance's (HITRUST) Common Security Framework (CSF) to simplify and standardize their healthcare customers' path to HIPAA compliance.
The framework can also assist solution providers in navigating the overlapping labyrinth of other regulatory mandates and audit requests from partners, as well as relieve growing pressure applied by the Health Information Technology for Economic and Clinical Health (HITECH) Act to improve security around patient health information.
The HITRUST framework incorporates hundreds of relevant IT controls for the healthcare industry from other frameworks, such as NIST, ISO and COBIT, and regulations and industry mandates, including the Payment Card Industry Data Security Standard (PCI DSS), SOX and, of course, HIPAA.
The pressure to improve security has increased this year with the passage of HITECH, which requires business partners of primary healthcare information holders (i.e. hospitals and physicians) to comply with HIPAA privacy/security requirements. This puts the force of law behind what is already something of a crazy quilt of requests. The requirements for security assurance are continuing to grow in complexity as the healthcare industry matures.
Jason Taule, director of corporate information security for ViPS, a Baltimore, Md.-based consultancy and IT solution provider for the healthcare industry, said customers are beginning to ask demanding questions about security before they let solution providers handle their data.
"Five or six years ago, they might have asked five or six questions; it may have been a phone conversation," he said. "Now they are very extensive; very detailed. One had a 17-tab Excel spreadsheet with 2,700 questions."
The volume of these types of questions and the lack of a unified standard for assessing security are among the issues that the CSF seeks to address.
"In the worst case, I know of one organization that gets 696 different requests for attestation, audit or some sort of certification from trading partners," said HITRUST CEO Dan Nutkis. "The average is 200. We're trying to get that down to one universally."
Healthcare organizations have also struggled to meet audit and assurance requirements from business partners who either use their own criteria or any one of a number of standard frameworks. At the same time, these healthcare organizations often have separate, redundant compliance programs for different regulations.
As a result, ViPS developed a common framework of its own to deal both with its own compliance and audit needs and to help streamline customer compliance programs. When HITRUST introduced CSF, ViPS recognized its value as a potential standard and began using it as the basis for its security practice. This decision was validated when an increasing number of customers started asking about the HITRUST framework.
"It's really a question of efficiency," Taule said. "It makes more sense for all of us to be auditing ourselves and our partners to a common standard than to each do their own thing. It gives you an alternative to reduce costs and achieve the ultimate ends better, faster, cheaper."
Other solution providers have similar experiences.
"There's a lot of interest. Our customers are happy to see something like this emerge," said Yan Kravchenko, a security team lead for Network Security Professionals Inc. (Netspi), a Minneapolis, Minn.-based security consulting firm. "They're concerned with hopping from one leg to another with compliance. There's no prescriptive set of standards an organization can follow."
Healthcare organizations demonstrate CSF compliance through the HITRUST certification program. HITRUST supports CSF and the certification process through its portal, online community, training and various tools. HITRUST representatives say CSF, which was introduced in March of 2009, has already become the de facto standard for IT security and regulatory compliance.
"It's the most widely adopted and utilized framework in the healthcare industry by far," Nutkis asserted. "What we see driving CSF adoption is the ability for it to establish a level of trust, so that business partners understand what their partners are doing with security."
Paul Proctor, vice president of security and risk management for Stamford, Conn.-based Gartner Inc., said he will remain skeptical until he sees more organizations using CSF.
"If they [HITRUST] reach critical mass," he said, "what they will get is that if you [solution providers] find yourself in an enforcement action, being CSF certified will put you in a more defensible position."
Other VARs agree that the effectiveness of the framework will have to be proven over time. "There's a lot of interest, but it's a question of when will it be trusted more," said NetSPI's Kravchenko. "I think it will take one or two large companies to take the framework on, then be independently audited for different standards and be found compliant."