HITRUST to seek government certification authority

Unlike CCHIT, which had asked for this authority last spring (resulting in a big controversy) HITRUST is not asking to be the exclusive certification authority. Only, no one else is doing the job right now, and Nutkis doesn't see why anyone would want to.

The Health Information Trust Alliance announced this week it is beginning the certification phase of its Common Security Framework (CSF) for hospital computer systems and networks.

The aim of HITRUST is to make certain health IT systems deliver both privacy and security, complying with the HIPAA law as hospitals move to electronic records.

In an interview today with ZDNet, HITRUST CEO Daniel Nutkis said the group's ambitions go further. It will be asking for government clearance to certify systems' security compliance with its procedures under the HITECH Act. (Note: HITRUST objected to the word security in the sentence above.)

Unlike CCHIT, which had asked for this authority last spring (resulting in a big controversy) HITRUST is not asking to be the exclusive certification authority. Only, no one else is doing the job right now, and Nutkis doesn't see why anyone would want to.

"This is the defacto standard," he said. "There is no competition, no alternative approach. It is the most widely adopted framework and gaining traction. There are still many organizations that do nothing. There was no standard previously."

While CCHIT was seeking to certify that suites created viable Electronic Health Records, HITRUST's charge goes deeper.

HITRUST's goal is to make sure that systems not only work, but that they're configured properly to maintain security and managed properly as well. It does the first through what it calls "security configuration packs," which make certain passwords are of the right length and that there's a system for regularly updating the software to prevent vulnerabilities.

Nutkis said the "meaningful use" definition adopted by the Administration mentions security in terms of HIPAA and the need for assessments. " <!-- @page { margin: 0.79in } P { margin-bottom: 0.08in } -->That's pretty broad, and there's not a lot of guidance. We'll suggest what an assessment will look like and what the guidance should be. We'll make some announcements on that topic."

There are two key differences here with the CCHIT approach:

  1. HITRUST has a broader charter, with expectations for how a system is configured and managed.
  2. HITRUST is not asking to be the exclusive certification authority, although no competition presently exists.

It will be interesting to see how the industry and government reaction to Nutkis' ambitions.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All