Jul 1, 2008

Dallas – July 1, 2008 – The Health Information Trust Alliance (HITRUST) today announced that it is on target to deliver the first-ever Common Security Framework (CSF) by January 2009, thanks to the efforts of the leading health care organizations, professional services firms, information security specialists, liability insurers and other organizations that have joined together to actively participate in the HITRUST CSF program.

“The HITRUST CSF program is critical to effectively safeguarding electronic health information,” said Daniel S. Nutkis, CEO, HITRUST. “As it is a substantial and complicated undertaking, we are very fortunate to have such capable, respected and committed organizations participating as part of our Drafting and Review Working Groups. I am amazed by the diversity and number of leading organizations with varying specialties participating in the HITRUST CSF program,” Nutkis added.

“As one of HITRUST’s founding organizations, I am very pleased to see that so many leaders in the industry have chosen to join us and support the development of a common security framework,” said Jonathan Roberts, Senior Vice President and Chief Information Officer, CVS Caremark. “We at CVS Caremark have known for some time that the creation of the common security framework was a vital and missing component to effectively and efficiently protecting sensitive health information,” Roberts added.

The HITRUST CSF is a comprehensive set of tools to aid organizations that create, store, access or exchange
electronic health, financial, and other sensitive information in protecting their information assets and managing related risks, costs and complexities. The HITRUST CSF is comprised of three components – an Information Security Implementation Manual, a Standards and Regulations Cross- Reference Matrix, and a Readiness Assessment Toolkit. The Information Security Implementation Manual is a certifiable, best–practice based specification that scales according to the type, size, and complexity of an organization to provide prescriptive implementation guidance.

“BearingPoint has dedicated significant resources to the development of the HITRUST CSF,” said Dr. Ross
Martin, director of Health Information Convergence for the firm. “As a leading provider of risk, compliance and security solutions, BearingPoint believes the development of a common security framework is critical, not just for protecting electronic health information, but also in minimizing the costs and complexities associated with securing electronic health information.”

“The HITRUST CSF program is creating what has been lacking in the healthcare industry, relating to information security guidance and clarity. By being prescriptive, it removes the confusion, inconsistencies and variability that have existed to date, in how organizations have implemented security measures. Although it is a new specification, it has leveraged existing U.S. and internationally accepted security standards where available and appropriate,” said G. Christopher Hall, Partner – Security, Accenture Technology Consulting.

“The availability of a comprehensive and prescriptive information security implementation manual, developed and agreed on by so many industry leaders, will establish a bar for appropriate information security measures in the healthcare industry, and impact how we as a liability underwriter evaluate and write potential policies,” said Paul Bantick, Senior Underwriter – Technology, Media & Business Service, Beazley Group plc.

“As an organization that recognizes the importance of electronic health record, personal health record, and
information exchanges to improving quality and better management of medical expenses, we also recognize that a critical component to achieving their potential is confidence by business partners, regulators and consumers that safeguards are in place to protect sensitive health information,” said Robert Mandel, MD, MBA, Vice President, Health Care Services, Blue Cross Blue Shield of Massachusetts. “The HITRUST CSF allows organizations to better understand the appropriate safeguarding measures and communicate their efforts in a uniform manner to their partners,” Mandel added.

The HITRUST Standards and Regulations Cross-Reference Matrix is a resource for organizations to understand
how implementation of the HITRUST Information Security Implementation Manual relates to and addresses other
standards, as well as legal, contractual and regulatory requirements. Organizations who are already certified to or have a mandate for other standards such as ISO 27001 can easily integrate this with their current framework. “I see the HITRUST CSF as an opportunity to bring some structure and consistency to the way information security is implemented in the U.S. healthcare industry,” said John DiMaria, Product Manager – Business Continuity and ITSM, BSI Management Systems of America. “Since the HITRUST Information Security Implementation Manual is prescriptive, it removes the multiple interpretations that have caused issues with inconsistent implementations and audits in the past,” DiMaria added.

“As an information security professional in the healthcare industry, I have struggled to identify a practical strategy and approach that appropriately addresses risk, and which can be implemented and accepted by management, finance, internal and external auditors, and trading partners. The HITRUST CSF provides a consistent framework by which a healthcare organization can address security challenges,” said Michael Frederick, Director – Office of Information Security and Chief Information Security Officer, Baylor Health Care System.

“The development of the HITRUST CSF takes the healthcare industry a giant step forward in managing risk and protecting privacy. It also establishes a benchmark that can be applied to non-covered entities, such as those providing personal health records (PHRs) to consumers. The HITRUST CSF is crucial to address the concerns of patients, policymakers and others,” said Dr. Larry Ponemon, Chairman and founder, Ponemon Institute.

The HITRUST Common Security Framework version 2009 will be available for license later this year. More
information on the HITRUST CSF can be found on the company’s website at www.hitrustalliance.org/csf or by
calling (469) 587-2250.

About the HITRUST

The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. Security is critical to the broad adoption, utilization of and confidence in health information systems, medical technologies and electronic exchanges of health information. This, in turn, is critical to realizing the related promise of quality improvement and cost containment in America’s healthcare system. HITRUST is collaborating with healthcare, business, technology, and information security leaders to establish a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the first-ever common security framework, HITRUST is also driving adoption and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit www.hitrustalliance.org.