Getting serious about health care security
Getting serious about health care security

Feb. 17, 2009 shall long be remembered as the day that things forever changed for Health Insurance Portability and Accountability Act (HIPAA)-covered entities, business associates and vendors of personal health care records and their third-party service providers. 

More than a year later, Health Information Technology for Economic and Clinical Health Act (HITECH) compliance is in full effect, and with it, required breach notification of unsecured protected health care information (PHI) affecting 500 individuals. It also increased penalty amounts of up to $1.5 million for all violations of an identical provision, in addition to expanding enforcement authorities granted to state attorneys general. These implications have increased the impact of noncompliance.

Certainly the governance efforts necessary to comply with increasing statutory and regulatory requirements is not a simple task. Yet given examples such as Connecticut Attorney General Richard Blumenthal filing a lawsuit against Health Net and breaches being disclosed on the U.S. Department of Health and Human Services website on a near weekly basis, identifying and implementing an encompassing compliance strategy is of critical importance.

The Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) provides a freely available standard that synthesizes the multitude of required controls, processes, and procedures contained in HIPAA, HITECH, the Payment Card Industry Data Security Standard, the Federal Trade Commission's Red Flags Rule, and the Massachusetts data security and privacy law, among others, to a prescriptive, risk-based framework. 

The CSF further is based on industry best practice standards such as ISO/IEC 27001/2, NIST 800-53 and 800-66, and COBIT 4.0 and considers organizational, system, and regulatory factors in its application. 

Additionally, compliance is demonstrable to a baseline of requirements (CSF validated) or the framework in its entirety (CSF certified), each of which were announced in May as being accepted by WellPoint, the largest health plan company in the Blue Cross and Blue Shield Association, "as a way to evaluate and verify its business partners' capabilities for protecting health information."

For organizations wishing to implement the standard, incremental adoption strategies include the licensing of assurance program tools and methodologies for self-assessment (CSF validated only) or engaging a select number of HITRUST qualified, certified CSF assessors to perform either a remote validation (CSF validated only) or onsite assessment (CSF validated or certified).

Following assessment, CSF validated entities that are determined not to be wholly compliant may submit a corrective action plan which, along with resulting findings, is reviewed and scored against comparable industry data by HITRUST. Assessment findings for wholly compliant entities similarly are reviewed and scored prior to the issuing of certification.

Another strength of the CSF is in its best practice-based, defense-in-depth approach. The framework, as a whole, is neither control-centric nor overly process reliant. The CSF provides greater insights into organizational challenges, while establishing clear direction toward information assurance.

The health care industry and its regulatory environment are changing. Competing pressures to improve quality and reduce medical expenses are increasing, as are both the quantity and methods of storage and transmission of protected health information (PHI). To control risk and limit liabilities, it is essential that the approach to information security be standardized and efficient. 

Though the average health care compliance officer may understand these complexities, communicating a concise direction throughout an organization to ensure that PHI does not end up in the Dumpster out back may require a new approach, if not something further.

Adopting a practical compliance approach is a good start.