Group unveils first-of-its-kind standard to secure patient data

Share this article:
A health care industry coalition on Monday released a prescriptive security framework that organizations can use to safeguard patient records as they increasingly move online.

The framework, released by the Health Information Trust Alliance (HITRUST) -- which represents health care providers, pharmacies, insurers, biotech firms and medical device manufacturers -- is based on well-known standards such as COBIT, NIST and ISO 270001.

But this is the first benchmark developed specifically for protecting health data.

"It's tailored to protecting health information right out of the gate," Michael Wilson, vice president and chief information security officer of McKesson, the largest U.S. pharmaceutical distributor, told on Monday. "It's just a different sort of data. It's still structured [like other verticals], but there's a lot more of it in health care."

The framework was created to improve adoption rates with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and increase patient confidence in the security of their information. It also arrives on the heels of the new $787 billion economic stimulus bill, about $20 billion of which is earmarked to encourage health care organizations to adopt electronic health records as a way to reduce the number of medical errors and save money. The stimulus bill, in itself, contains srict privacy and security regulations for patient information.

The standards took about 18 months to devise and can be implemented by organizations of any size, according to HITRUST.

"2009 will be a turning point for information security in the health care industry, when organizations will begin implementing the framework...and create a cascading effect that will impact and benefit the entire health care ecosystem," Daniel Nutkis, CEO of HITRUST, said in news release.

Wilson said the framework also will enable companies such as McKesson to show their customers and business partners that they are taking security and privacy seriously.

"We think we have some pretty good controls in place, but how do we demonstrate that?" he said. "Reputation, overall, is the issue for large organizations in this space. We invest a lot of money in McKesson, but it's hard to reflect that in terms of sound controls because we're such a large organization."

Though placing electronic health records online enables sharing of information among hospitals and plan providers, it also raises the risk of compromise, Wilson said.

"If you forget to put the firewall on, you open it up to how many people?" he asked rhetorically. "The risks in terms of breach dramatically go up in the electronic patient health scenario."

For more information on purchasing the framework, pricing for which starts at $1,875 for a five-year license, visit

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

U.S. under cyber attack, losing ground to adversaries

In testimony to a Senate committee, cyber experts said the U.S. has fielded 600,000 attacks this year.

Researchers in China work on facial recognition payment app

The app is expected to be launched next year.

Mobile app study reveals privacy concerns

Mobile app study reveals privacy concerns

Of the more than 1,200 mobile apps that were assessed in a recent study, 75 percent requested one or more permissions.