X
Business
Home Business Enterprise Software

HITRUST to seek government certification authority

Unlike CCHIT, which had asked for this authority last spring (resulting in a big controversy) HITRUST is not asking to be the exclusive certification authority. Only, no one else is doing the job right now, and Nutkis doesn't see why anyone would want to.
Written by Dana Blankenhorn, Inactive

The Health Information Trust Alliance announced this week it is beginning the certification phase of its Common Security Framework (CSF) for hospital computer systems and networks.

The aim of HITRUST is to make certain health IT systems deliver both privacy and security, complying with the HIPAA law as hospitals move to electronic records.

In an interview today with ZDNet, HITRUST CEO Daniel Nutkis said the group's ambitions go further. It will be asking for government clearance to certify systems' security compliance with its procedures under the HITECH Act. (Note: HITRUST objected to the word security in the sentence above.)

Unlike CCHIT, which had asked for this authority last spring (resulting in a big controversy) HITRUST is not asking to be the exclusive certification authority. Only, no one else is doing the job right now, and Nutkis doesn't see why anyone would want to.

"This is the defacto standard," he said. "There is no competition, no alternative approach. It is the most widely adopted framework and gaining traction. There are still many organizations that do nothing. There was no standard previously."

While CCHIT was seeking to certify that suites created viable Electronic Health Records, HITRUST's charge goes deeper.

HITRUST's goal is to make sure that systems not only work, but that they're configured properly to maintain security and managed properly as well. It does the first through what it calls "security configuration packs," which make certain passwords are of the right length and that there's a system for regularly updating the software to prevent vulnerabilities.

Nutkis said the "meaningful use" definition adopted by the Administration mentions security in terms of HIPAA and the need for assessments. " <!-- @page { margin: 0.79in } P { margin-bottom: 0.08in } -->That's pretty broad, and there's not a lot of guidance. We'll suggest what an assessment will look like and what the guidance should be. We'll make some announcements on that topic."

There are two key differences here with the CCHIT approach:

  1. HITRUST has a broader charter, with expectations for how a system is configured and managed.
  2. HITRUST is not asking to be the exclusive certification authority, although no competition presently exists.

It will be interesting to see how the industry and government reaction to Nutkis' ambitions.

Editorial standards
Show Comments

Related

Anker Solix X1

Not into the Tesla Powerwall? You can now buy the Anker Solix X1

pxl-20240424-181716738

Facebook's Meta AI is lying when it says you can disable it - but here's what you can do

Placeholder product image alt text

The best AI image generators to try right now