• United States



by Senior Editor

Secure Electronic Medical Records: Fact or Fiction?

Mar 03, 20093 mins
Access ControlApplication SecurityCompliance

The Health Information Trust Alliance's new Common Security Framework (CSF) is designed to address new requirements mandated by the American Recovery and Reinvestment Act of 2009. But will it work?

Healthcare organizations still nursing the scars of HIPAA compliance and data breaches have gotten behind a new security framework to address potential headaches brought on by the American Recovery and Reinvestment Act of 2009.

Members of the Health Information Trust Alliance (HITRUST) gathered in San Francisco Monday to unveil the Common Security Framework (CSF), the first IT security framework designed specifically for healthcare data loss prevention.

CSF will be delivered as a service through a new online community called HITRUST Central. HITRUST CSF version 2009 and HITRUST Central are available starting at $1,875, the organization said. The cost will be higher for larger organizations.

Work on CSF began 18 months ago in response to HIPAA security challenges and the growing wave of data breaches in the health sector and elsewhere. [See related content: 4 Years of Data Breaches]

But the need for a health sector-based set of security standards was amplified by the recent passage of President Obama’s economic stimulus package, which includes federal funds for the widespread deployment of electronic medical records. [See related content: Security Challenges of Electronic Medical Records]

Russell Pierce, CISO at CVS Caremark, said the push to digitize medical records is fraught with potential security problems, making it crucial that health organizations get behind a more specific set of security guidelines.

“We’ve seen a lot of difficulty in the health sector in terms of how one evaluates the security of third parties, especially when it comes to what third parties are doing to satisfy HIPAA’s security requirements,” Pierce said in a phone interview. “There have been some significant inconsistencies on that front.”

One problem is HIPAA itself, which many security practitioners see as more a list of suggestions than a specific set of requirements. The law has been open to interpretation, and HITRUST hopes its CSF will put more organizations on the same page in terms of what must be done to improve security. The move is especially timely, Pierce said, because the healthcare sector is going to see a new burst of activity in response to Obama’s call for more digitized records.

Pierce said the CSF is designed to scale. In other words, the framework is designed to get organizations of varying size on the same security page, whether it’s private practices, hospitals and health plan providers or pharmacies, pharmaceutical manufacturers, data exchanges and clearing houses.

“The CSF will also help in determining compliance against the myriad of business partner requirements as well as the numerous evolving state and federal regulations and industry standards,” HITRUST said in a statement. “The CSF cross-references and harmonizes regulations such as The American Recovery and Reinvestment Act of 2009 and the Protection of Personal Information of Residents of the Commonwealth of Massachusetts as well as nationally and globally recognized standards such as ISO, NIST, COBIT, HIPAA and PCI.”

McKesson Corp. CISO Michael Wilson said in a telephone interview that Obama’s push for more efficiency through health IT is great, but that it comes with risk that must be addressed with more specific guidelines. He believes the HITRUST CSF is a step in that direction.

“Having all-electronic records means you need to sharpen the privacy and security around it,” he said.

Wilson is optimistic HITRUST Central will help everyone stay on the same page. HITRUST Central is the primary resource for healthcare IT security and compliance professionals to access the CSF and self-assessment tools. The online service also offers professional networks to share comprehensive CSF knowledge and best practices through forums and exchanges. It also includes blogs and downloadable documentation and training materials.