A new certification program offers help to VARs in guiding healthcare industry customers to security products that best address the requirements for HIPAA and other compliance and audit requirements.
The Health Information Trust (HITRUST) Alliance is developing the program; it is in early development stages. It can be considered HITRUST's response to healthcare organizations' need for independent evaluation of products' capabilities to meet more than 100 IT security control specifications under a dozen categories (access control, risk management and incident response to name a few) laid out in its Common Security Framework (CSF).
HITRUST began work on the "CSF Ready" certification after deciding that its CSF Guide, in which vendors list their products and explain how they map to the framework, wasn't enough.
"Healthcare organizations were concerned that all vendors were doing was marketing-ese with no depth or substance," said HITRUST CEO Daniel Nutkis. "They're [healthcare organizations] entitled to understand that when it[the product] says it has this capability, that it has that capability. The CSF Ready seal will show products have obtained a basic level of attestation or certification."
"Think of it [the CSF Ready certification] as a kind of filter," said Al Potter, senior consulting analyst at ICSA Labs, a vendor-neutral product-testing division of Mechanicsburg Pa.-based VerizonBusiness. ISCA Labs and McAfee Inc. co-chair the program's steering committee, a group put together by the alliance to define the program and its certification.
"As a VAR, there are five or six products you might propose for capabilities required by the framework. There are all sorts of factors to consider, but the CSF Ready certification could help narrow the focus."
The certification is focused on security, not simply compliance, said Rick Moy, president of steering committee member NSS Labs, an independent security product testing and certification organization based in Carlsbad, Calif.
He said the healthcare industry has not only standard IT devices such as computers, switches, routers and firewalls, but also specialized equipment, including MRI machines and health monitors, all connected via Ethernet and, ultimately, to the Internet. The certified products need to be effective enough to secure that vast environment in its entirety.
What VARs can expect from the HITRUST Common Security Framework certification
HITRUST's intent is for VARs to use the CSF Ready certification as a diffentiatior to sell their vendor partners' products, but Moy thinks it will only be of value to them "if it provides real guidance on differences between products."
"When dealing with healthcare customers, CSF will help [IT solution providers] communicate to customers on how they comply by explaining how certain controls meet certain requirements," said Blake Sutherland, HITRUST vice president of products and services, "and help them choose the technologies they implement to help meet those requirements."
At this point, VARs wonder what the CSF Ready certification will mean to customers in the long run, and which products will be certified. That task of answering these questions falls to the steering committee and the three subcommittees it will oversee. The subcommittees are each assigned one of three initial security technologies: vulnerability assessment scanners, firewalls and endpoint protection. These were chosen because they are mature and well-understood. CSF expects to add technologies once the first certification programs are established.
It's unlikely that HITRUST will evaluate products to the point where they will rank their capabilities, Sutherland said. But he thinks it's possible that the healthcare community could weigh in on particular products based on their experiences with them.
"At a minimum," Sutherland continued, "we will have to say these are the ones that will meet acceptable criteria, and this is how it will help you meet the requirements of CSF if implemented correctly."
Where possible, HITRUST will avoid forcing vendors to undergo additional product testing, instead allowing them to leverage existing certifications if they match CSF controls. So, for example, CSF Ready might accept certification by ICSA, NSS or another lab such as FISMA.
The willingness to recognize other certifications and the choice to evaluate the three established technologies mentioned above as the first certification categories could mean that there will be "at least initial or interim guidance" sooner rather than later, perhaps before the end of Q1 2010, Sutherland said, and potentially before the first CSF Ready product certifications are announced.
While HITRUST representatives strongly believe the certification program will have merit, some caution that it's still too early to really judge whether it will make a big splash in the industry. "Solution providers should keep an eye on this to see how it evolves, Moy said. "It's really early."