Thank you, Dana, for helping bring clarity to these important issues. HITRUST believes that establishing trust in our healthcare system is critical for the successful adoption of electronic health records and other health information systems. Toward this end there is a need for many different types of certifications and standards - supported by recent HHS statements and press recognition - and HITRUST wishes to clarify a few points attributed in your recent post.
As you point out, the HITRUST Common Security Framework (CSF) addresses the need for a broader level of security certification - for the organization as a whole (people, processes, policies) and not just the systems (technology) where organizations such as CCHIT predominantly address. In fact, these two approaches support each other: an organization can adopt a CCHIT certified system meeting their security requirements, but if the application, underlying database or operating system aren?t appropriately configured, the system is left exposed and vulnerable. This is one of the areas that the HITRUST CSF addresses.
HITRUST is committed to providing a framework that is flexible enough to meet the requirements of whatever the federal government deems to be appropriate under the ?privacy and security requirements of meaningful use," as well as other federal and state regulations governing the protection of health information applicable to healthcare organizations.
By adopting a single security framework, healthcare organizations can move away from redundant audits and gain the guidance they need now to protect their systems in a consistent and efficient manner - while ensuring compliance with evolving regulations.
My comments around seeking government support related specifically to providing some assurances and safe harbor for those organizations proactively adopting the HITRUST CSF as a means of safeguarding health information. The role of HITRUST is not to certify health information systems.
We are thrilled that the HITRUST CSF has become the defacto-standard for the protection of health information and addresses this critical need of a single assessment and overarching certification, and we welcome further discussion with you, your readers and government.
The Health Information Trust Alliance announced this week it is beginning the certification phase of its Common Security Framework (CSF) for hospital computer systems and networks.
The aim of HITRUST is to make certain health IT systems deliver both privacy and security, complying with the HIPAA law as hospitals move to electronic records.
In an interview today with ZDNet, HITRUST CEO Daniel Nutkis said the group’s ambitions go further. It will be asking for government clearance to certify systems’ security compliance with its procedures under the HITECH Act. (Note: HITRUST objected to the word security in the sentence above.)
Unlike CCHIT, which had asked for this authority last spring (resulting in a big controversy) HITRUST is not asking to be the exclusive certification authority. Only, no one else is doing the job right now, and Nutkis doesn’t see why anyone would want to.
“This is the defacto standard,” he said. “There is no competition, no alternative approach. It is the most widely adopted framework and gaining traction. There are still many organizations that do nothing. There was no standard previously.”
While CCHIT was seeking to certify that suites created viable Electronic Health Records, HITRUST’s charge goes deeper.
HITRUST’s goal is to make sure that systems not only work, but that they’re configured properly to maintain security and managed properly as well. It does the first through what it calls “security configuration packs,” which make certain passwords are of the right length and that there’s a system for regularly updating the software to prevent vulnerabilities.
Nutkis said the “meaningful use” definition adopted by the Administration mentions security in terms of HIPAA and the need for assessments. ” <!– @page { margin: 0.79in } P { margin-bottom: 0.08in } –>That’s pretty broad, and there’s not a lot of guidance. We’ll suggest what an assessment will look like and what the guidance should be. We’ll make some announcements on that topic.”
There are two key differences here with the CCHIT approach:
- HITRUST has a broader charter, with expectations for how a system is configured and managed.
- HITRUST is not asking to be the exclusive certification authority, although no competition presently exists.
It will be interesting to see how the industry and government reaction to Nutkis’ ambitions.
