An initiative including health industry leaders and several IT security companies will try to set the bar for security practices applied to electronic-protected health information (EPHI) in an effort to level the playing field between companies sharing sensitive data.

 

According to Daniel Nutkis, CEO of the recently formed Health Information Trust Alliance, the goal of the group is the same as its acronym – HITRUST – meaning that it seeks to establish a level of trust among companies sharing data and to avoid a situation in which security practices are seen as a competitive advantage.

 

“We want to set the bar for the appropriate handling of personal health information so companies don't feel the need to audit trading partners who are accessing their data,” Nutkis said.

 

The founding members of HITRUST – CVS, Caremark, Cisco, Highmark, Hospital Corp. of America, Humana, Johnson & Johnson, Philips Healthcare, and Pitney Bowes – are preparing to survey a group of up to 155 stakeholders across all segments of the health care industry to develop what they are calling a Health Information Security Framework. The survey group is expected to include at least four major IT security players, in addition to Cisco.

 

According to Nutkis, the initiative is needed because current compliance requirements, such as the federal Health Insurance Portability and Accountability Act (HIPAA), focus on protecting an individual's privacy and are being broadly interpreted with regard to security mechanisms used to protect privacy.

 

“Now that we have seen the latitude [allowed] under HIPAA, there has been a groundswell to establish best practices so that security is not viewed as a competitive advantage,” he said.

 

Kimberly Gray, chief privacy officer of Highmark, Inc., a HITRUST member, noted that while “privacy” and “security” are often used as interchangeable terms, “they are distinct, but interrelated, concepts.”

 

“Health information privacy in the U.S. today focuses on keeping personal information confidential, and privacy policy is generally overseen by government and regulatory bodies. Security, on the other hand, is the mechanism to protect privacy and must be capable of quickly adapting to changes in the technology and industry landscape and is best left to the private sector,” Gray said.

 

Paul Connelly, CISO of Hospital Corp. of America, another HITRUST member, said a company continuing to develop its own approach to security issues is no longer an option in an environment in which huge medical records databases can be accessed by individual doctors, as well as by major health care providers.

 

“If we continue to go at security in our own ways, then at the end of the day we would be farther from, rather than closer to, appropriately protecting sensitive health information,” he said.

 

Nutkis said that data protection was just one component of the security issues to be addressed by the HITRUST survey, which will ask companies to rank their security practices in terms of scalability and effectiveness, among other factors.

 

Nutkis noted that current security measures vary widely throughout the health industry. For example, some concerns are utilizing numerical passwords on their data systems that are changed every 45 days, while others are using alphabetic passwords that are only changed twice annually.

 

“We want to know what is working and what is needed to raise the level of security for everyone in the industry,” he said.