Release of Common Security Framework major milestone for industry in commitment to greater electronic health information protection and growing regulatory compliance

Mar 2, 2009

San Francisco – March 2, 2009 – With the dramatic rise in breaches, theft of patient health data and the increase in regulatory requirements such as those mandated by the American Recovery and Reinvestment Act of 2009 – healthcare organizations and their business partners are now under intense pressure and scrutiny regarding security and privacy. But without a fundamental change in approach the industry will continue to see inconsistencies in the interpretation of regulations, inefficiencies and unacceptably high costs in the exchange of health information, and lagging adoption of standards (such as HIPAA) that have plagued the protection of health information technology in this complex market.

To address this “implementation” gap, the Health Information Trust Alliance (HITRUST) representing the healthcare industry spectrum – from health providers, plans and data exchanges to pharmacies, biotech firms and device manufacturers – has stepped up and will unveil the Common Security Framework (CSF) today at its 2009 launch in San Francisco, California. Hosted by McKesson Corporation, the event also features industry leaders from Accenture, Archer Technologies, Baylor Health Care System, Cisco Systems, CVS Caremark, Humana, Kaiser Permanente, and others discussing real world challenges and examples. To view the live web cast visit: www.hitrustalliance.net/launch.

“Until now, the lack of widely accepted information security standards has kept many providers on the health care IT sidelines, and has been a source of apprehension for many patients when it came to electronically sharing their medical information,” said Randall N. Spratt, Chief Information Officer and Executive Vice President, McKesson and host of the HITRUST CSF launch. “The leadership of HITRUST and its diverse membership will be critical in overcoming a significant roadblock for virtually every player in the industry. Combined with the healthcare IT incentives contained in the American Recovery and Reinvestment Act, the HITRUST framework should help accelerate the adoption of technologies that will dramatically improve the safety and efficiency of America’s health care system.”

The CSF, which represents an 18-month effort led by a full-time team and tens of thousands of hours from healthcare, professional services and information technology organizations, is the first IT security control framework developed explicitly for healthcare information. This prescriptive and certifiable framework is the only approach available that makes it cost effective and practical for organizations of any type and size – scaling from private practices, hospitals and health plan providers to pharmacies, pharmaceutical manufacturers, data exchanges and clearing houses – to implement security programs in an appropriate risk-based and consistent way. The CSF will also help in determining compliance against the myriad of business partner requirements as well as the numerous evolving state and federal regulations and industry standards. The CSF cross-references and harmonizes regulations such as The American Recovery and Reinvestment Act of 2009 and the Protection of Personal Information of Residents of the Commonwealth of Massachusetts as well as nationally and globally recognized standards such as ISO, NIST, COBIT, HIPAA and PCI.

“HITRUST is important to the health care industry and Humana, and will generate increased confidence among health care consumers,” said Jon Moore, Chief Information Security Officer, Humana. “During this time of economic insecurity, health care and health-benefits companies have an opportunity for an immediate benefit through the HITRUST Common Security Framework. It responds to a range of regulatory challenges with a consolidated set of controls and implementation guidelines which enable companies to confidently deploy and maintain strong security practices.”

“Adopting the CSF will create consistency in how health care organizations nationwide control patient information. Standardizing security will create better protection of patient information and give peace of mind to patients and caregivers as wide scale adoption of electronic health records becomes a reality,” said Michael Frederick, Chief Information Security Officer, Baylor Health Care System.

“2009 will be a turning point for information security in the healthcare industry – when organizations will begin implementing the framework they have spent the last 18 months developing and create a cascading effect that will impact and benefit the entire healthcare ecosystem,” said Daniel Nutkis, CEO, HITRUST.

HITRUST CSF Delivered as a Service via Industry’s First Online Community: HITRUST Central

HITRUST also announced today that the CSF will be delivered as a service through the new online community, HITRUST Central™. HITRUST Central is the primary resource for healthcare IT security and compliance professionals to access the CSF and self-assessment tools. This online service also offers professional networks to share comprehensive CSF knowledge and best practices through forums and exchanges, understand industry issues and events through authoritative blogs, and download documentation and training materials.

HITRUST Central will also provide important implementation support such as how to use Alternate Controls – an innovative approach to allow for the temporary adoption of standardized short- and long-term compensating strategies for systems that cannot meet the CSF’s requirements; and Application Security Packs – which address the lack of detailed information for the design, configuration and implementation of applications such as health information management and electronic medical record systems.

HITRUST also outlined today other key elements of its overarching 2009 Security Services Architecture, including Certification, Accreditation and Training processes as well as Reporting Exchanges to significantly simplify how organizations report and track compliance with regulatory and business partner requirements – all of which will be made available through HITRUST Central this year.

A broad range of organizations will announce their application security packs, third-party services around HITRUST certification, and contributions to the HITRUST Central community – including Accenture, Archer Technologies, BearingPoint, Cisco Systems, McKesson Corporation, PricewaterhouseCoopers, VeriSign, and others.

“Healthcare organizations are under increased regulatory scrutiny, and the cost of demonstrating compliance is skyrocketing. The ability to implement a framework for managing internal controls, mapping them to requirements and demonstrating compliance is more important than ever,” said Jon Darbyshire, founder and CEO, Archer Technologies. “Archer is pleased to support this need by delivering tools and services that aid in the adoption of the CSF.”

”Security of information is at the heart of any effective industry exchange, and the sensitivity of personal medical information makes this even more critical within healthcare,” commented Mike Denning, Senior Vice President, VeriSign Enterprise Security Services. “We are pleased be involved in helping ensure the integrity of data exchange through our efforts with the HITRUST CSF.

Practical Applications of the HITRUST CSF

Below are just a few examples of how the HITRUST CSF will be applied throughout the healthcare system to enhance security, reduce costs and comply with business, government and industry standards and regulations:
• Hospitals and healthcare providers will use the framework to determine how physicians gain secure and timely access to patient records both onsite and remotely
• Health plan providers will use the framework to securely exchange patient data with physicians as well as provide and protect online access to patient medical records and financial data
• Data exchanges will use the framework to standardize expectations among many different business partners – each with their own set of rules and regulations concerning data security – on a single certification benchmark and reporting process
• Pharmacies will use the framework as a tool to align expectations and practices around
common security controls
• Device manufacturers will use the framework to level set expectations with their hospital and healthcare provider customers to improve the way security controls are implemented for their medical systems
• Technology vendors providing Health Information Management Systems and Electronic Medical Records Systems will use the framework to design standardized security capabilities into their products to appropriately protect health information accessed on those systems
• Service Providers and professional services firms will use the framework to help their clients adopt security best practices that are tailored for the healthcare industry; for example as a basis for services such as security assessments, policy definition, solution implementation and certifications

Availability and Pricing

The HITRUST CSF version 2009 and HITRUST Central are available immediately, starting at $1,875 for a 5-user license and increasing depending upon organization size. To register for HITRUST Central and to gain access to HITRUST CSF, please visit www.hitrustcentral.net.

About HITRUST
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption and utilization of health information technologies and exchanges. This, in turn, is critical to realizing the related promise of quality improvement and cost containment in America’s healthcare system. HITRUST is collaborating with healthcare, business, technology, and information security leaders to establish a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the first common security framework, HITRUST is also driving adoption and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit https://www.HITRUSTalliance.net.

#########

All product and company names herein may be trademarks of their respective owners.

Media Contact:
Leslie Kesselring
Kesselring Communications, LLC (for HITRUST)
503.358.1012
leslie@kesselring.net