Group unveils first-of-its-kind standard to secure patient data

Share this article:
A health care industry coalition on Monday released a prescriptive security framework that organizations can use to safeguard patient records as they increasingly move online.

The framework, released by the Health Information Trust Alliance (HITRUST) -- which represents health care providers, pharmacies, insurers, biotech firms and medical device manufacturers -- is based on well-known standards such as COBIT, NIST and ISO 270001.

But this is the first benchmark developed specifically for protecting health data.

"It's tailored to protecting health information right out of the gate," Michael Wilson, vice president and chief information security officer of McKesson, the largest U.S. pharmaceutical distributor, told SCMagazineUS.com on Monday. "It's just a different sort of data. It's still structured [like other verticals], but there's a lot more of it in health care."

The framework was created to improve adoption rates with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and increase patient confidence in the security of their information. It also arrives on the heels of the new $787 billion economic stimulus bill, about $20 billion of which is earmarked to encourage health care organizations to adopt electronic health records as a way to reduce the number of medical errors and save money. The stimulus bill, in itself, contains srict privacy and security regulations for patient information.

The standards took about 18 months to devise and can be implemented by organizations of any size, according to HITRUST.

"2009 will be a turning point for information security in the health care industry, when organizations will begin implementing the framework...and create a cascading effect that will impact and benefit the entire health care ecosystem," Daniel Nutkis, CEO of HITRUST, said in news release.

Wilson said the framework also will enable companies such as McKesson to show their customers and business partners that they are taking security and privacy seriously.

"We think we have some pretty good controls in place, but how do we demonstrate that?" he said. "Reputation, overall, is the issue for large organizations in this space. We invest a lot of money in McKesson, but it's hard to reflect that in terms of sound controls because we're such a large organization."

Though placing electronic health records online enables sharing of information among hospitals and plan providers, it also raises the risk of compromise, Wilson said.

"If you forget to put the firewall on, you open it up to how many people?" he asked rhetorically. "The risks in terms of breach dramatically go up in the electronic patient health scenario."

For more information on purchasing the framework, pricing for which starts at $1,875 for a five-year license, visit www.hitrustcentral.net.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.