Compliance Management, Privacy, Security Strategy, Plan, Budget

Group unveils first-of-its-kind standard to secure patient data

A health care industry coalition on Monday released a prescriptive security framework that organizations can use to safeguard patient records as they increasingly move online.

The framework, released by the Health Information Trust Alliance (HITRUST) -- which represents health care providers, pharmacies, insurers, biotech firms and medical device manufacturers -- is based on well-known standards such as COBIT, NIST and ISO 270001.

But this is the first benchmark developed specifically for protecting health data.

"It's tailored to protecting health information right out of the gate," Michael Wilson, vice president and chief information security officer of McKesson, the largest U.S. pharmaceutical distributor, told on Monday. "It's just a different sort of data. It's still structured [like other verticals], but there's a lot more of it in health care."

The framework was created to improve adoption rates with regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and increase patient confidence in the security of their information. It also arrives on the heels of the new $787 billion economic stimulus bill, about $20 billion of which is earmarked to encourage health care organizations to adopt electronic health records as a way to reduce the number of medical errors and save money. The stimulus bill, in itself, contains srict privacy and security regulations for patient information.

The standards took about 18 months to devise and can be implemented by organizations of any size, according to HITRUST.

"2009 will be a turning point for information security in the health care industry, when organizations will begin implementing the framework...and create a cascading effect that will impact and benefit the entire health care ecosystem," Daniel Nutkis, CEO of HITRUST, said in news release.

Wilson said the framework also will enable companies such as McKesson to show their customers and business partners that they are taking security and privacy seriously.

"We think we have some pretty good controls in place, but how do we demonstrate that?" he said. "Reputation, overall, is the issue for large organizations in this space. We invest a lot of money in McKesson, but it's hard to reflect that in terms of sound controls because we're such a large organization."

Though placing electronic health records online enables sharing of information among hospitals and plan providers, it also raises the risk of compromise, Wilson said.

"If you forget to put the firewall on, you open it up to how many people?" he asked rhetorically. "The risks in terms of breach dramatically go up in the electronic patient health scenario."

For more information on purchasing the framework, pricing for which starts at $1,875 for a five-year license, visit

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.