Integrated Security Configuration Packs simplify and strengthen the protection of 3rd party Health Information Systems including EHRs and medical devices

Apr 3, 2009

Frisco, TX – April 3, 2009 – With the industry on the verge of broad scale adoption of health information technology – including the move to electronic health records by 2014 as mandated by the American Recovery and Reinvestment Act of 2009 – the Health Information Trust Alliance (HITRUST) today announced the development of Security Configuration Packs for the HITRUST Common Security Framework (CSF). The packs address the lack of guidance that users of third-party health information systems—including electronic health records systems and medical devices—face in securely configuring these systems. Coming on the heels of the Common Security Framework launch in March 2009, today’s announcement represents another major milestone for HITRUST in its mission to create a higher level of trust in the industry by providing a holistic suite of tools and services to assist healthcare organizations with efficiently and consistently protecting sensitive health information.

“The HITRUST Common Security Framework provides a control framework for our information protection program, and Security Configuration Packs will be a key component. The Common Security Framework is a resource for us to achieve a higher level of information protection in a more efficient manner. It is not a new standard, but a prescriptive how-to manual that provides a consistent benchmark for the industry,” said Bryan S. Cline, Ph.D., CISSP-ISSEP and Director, Information Services Risk Management, The Children’s Hospital of Philadelphia.

While information for securely configuring and managing specialized enterprise systems is commonplace in other industries, it not widely available for the healthcare industry.

“Given the complexities of health IT applications, the objective is to provide a very specific security roadmap and eliminate any guesswork for healthcare organizations seeking HITRUST certification,” said Brian R. Fuller, Director of the Health Information Security Practice at BearingPoint, one of the accredited Common Security Framework service providers helping in the development of the HITRUST Security Configuration Packs.

HITRUST Security Configuration Packs will consist of implementation instruction manuals for reducing the risk of security and privacy breaches. These instructions and recommendations will address implementation, architecture, security settings, hardening of application platforms (i.e., operating systems, web server, databases and interfaces), maintenance and monitoring of configuration settings and establishing user privileges. The packs follow the security and compliance guidance outlined in the Common Security Framework and can be accessed through assessment and compliance management tools that automatically recommend to users the specific controls they need to implement. HITRUST is also collaborating with technology companies who provide vulnerability scanning and Governance Risk and Compliance (GRC) products as well as service providers to integrate this information in their products and services, enhancing the applicability of their solutions to healthcare organizations. These packs and associated tools are critical resources for healthcare organizations to strengthen their security posture in an effective and sustainable manner.

HITRUST has committed to provide its first Security Configuration Packs for the following applications: Cerner Millennium, Eclipsys Sunrise Acute Care, eClinicalWorks eClinicalWorks EMR, Epic Systems EpicCare Ambulatory EMR, Epic Systems EpicCare Inpatient, McKesson Provider Technologies Horizon Clinicals suite and McKesson Provider Technologies Practice Partner. HITRUST is also soliciting input on prioritizing the development of additional Security Configuration Packs. Those organizations interested in suggesting a Security Configuration Pack can do so at www.hitrustalliance.net/scp.

“Tools that provide guidance on securely configuring systems and automating the validation process enables us to achieve greater efficiencies and simplify compliance,” said M. David Wright, Manager of HIPAA Security, LifePoint Hospitals, Inc. “Having to develop and maintain the guidelines for configuring and validating individual systems ourselves is a complex and time-consuming process and represents a considerable upfront investment in both man-hours and dollars.”

“The Security Configuration Packs are another step forward in enhancing the level and efficiency of information protection. By collaborating with HITRUST, healthcare organizations and technology vendors are leveraging their combined resources to address security challenges for consistent adoption across the industry and at a fraction of the cost and resource of tackling these issues independently,” said Daniel Nutkis, Chief Executive Officer, HITRUST.

Pricing and Availability

Security Configuration Packs are offered as an add-on service to the Common Security Framework and are priced at $500 per application pack for a 12-month subscription, which includes updates made available during the subscription period. Security Configuration Packs are made available through HITRUST Central™ at www.hitrustcentral.net. An active HITRUST Central subscription is required. For ordering, availability or general information on Security Configuration Packs please visit www.hitrustalliance.net/scp.

HITRUST will also join BearingPoint at the 2009 Annual HIMSS Conference & Exhibition, April 4-8, 2009 in Chicago to demonstrate the Common Security Framework and HITRUST Central. Visit the BearingPoint booth #2410 on the HIMSS exhibit floor.

About HITRUST
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption and utilization of health information technologies and exchanges. This, in turn, is critical to realizing the related promise of quality improvement and cost containment in America’s healthcare system. HITRUST is collaborating with healthcare, business, technology, and information security leaders to establish a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the first common security framework, HITRUST is also driving adoption and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit https://www.HITRUSTalliance.net.

#########

All product and company names herein may be trademarks of their respective owners.

Media Contact:
Leslie Kesselring
Kesselring Communications, LLC (for HITRUST)
503.358.1012
leslie@kesselring.net