An Evolving Framework for Health Information Security

Health Information Trust Alliance (HITRUST), the Frisco, Texas-based provider of an industry-standard health information security methodology, has to keep up with the rapid change in the health information systems space.With participation that includes providers, health plans, and both private and public health information exchanges (HIEs), HITRUST describes its Common Security Framework (CSF) as a as a guide for the security requirements of healthcare organizations.For 2012, HITRUST is looking at the growing implementation of mobile devices, cloud computing, and HIEs in healthcare. The major release for next year’s CSF will be completed by December of this year.Dan Nutkis, chief executive officer of HITRUST, explains that with technology, regulation, and market dynamics always changing, the CSF must evolve to ensure relevance. Michael Frederick, chief information security officer of Baylor Health Care System, and a member of HITRUST’s executive council, says that threats come and go, and guidance on regulation changes periodically. “If you want to have something that people can trust, it needs to address new threats and risks when they come up and adapt to the regulations that come from the oversight bodies,” he adds. “It’s a constant work in progress.”

Dan NutkisNeed for UnityNearly five years ago, HITRUST was far from a work in progress, it only an idea, one that was borne from a basic, unfilled need within the healthcare IT security arena: unity, explains Nutkis. “The catalyst had a lot to do with a hodge-podge of inconsistencies, a lack of direction, and no clear understanding of what should be done,” he says. “When some healthcare organizations were doing things, they were actually penalized. Other organizations were doing nothing. Others were doing what they thought they should do, and it put them at a competitive disadvantage because they were perceived as difficult to deal with because they imposed a host of additional requirements. It really was quite a confusing time.”The upshot was that the confusion and penalties led many organizations to simply drop security from their systems. It was then the industry recognized that there was a need for a unified, consistent, prescribed approach on security implementation and HITRUST emerged as a neutral industry broker.One advantage of the CSF is that its comprehensiveness and specificity allows healthcare organizations to adopt a security approach based on its complexity and size, according to Nutkis. It also takes into account various federal and state-level regulations that an organization might encounter. He adds, “It begins to lay out what the expectations for you are with regard to information security.”HIE Growth Spurs DevelopmentThe initial push for HITRUST and the development of the CSF came about because of the persistence of several organizations, whose leaders thought the idea was worthwhile. Although adoption was initially slow, vendors recognized that it was easier and more convenient to have their services assessed against one comprehensive framework. The next tier of adopters, which ranged from large healthcare organizations to small physician practices, came on board and recognized how the framework could be adopted to their specific needs, Nutkis says.The growth of HIEs has led organizations like Health Information Partnership for Tennessee (HIP TN), a private company that manages and implements the statewide HIE, to get involved with HITRUST as well. Since the advent of HIEs, Keith Cox, chief executive officer of HIP TN, says there hasn’t been a focus on security and privacy regulations until recently. Cox says he has had frequent dialogue with HITRUST to codify security standards for HIEs.

Keith Cox“I knew for sure I wanted to get in early to put a footprint in HITRUST standards for the State of Tennessee and the work we are doing for HIP TN,” says Cox. “In any institution, you are only as secure as your weakest link. That could be someone in a remote corner of the state that shares data with you or it could be a large healthcare institution that has a problem with its policies. It’s important to enforce and give confidence to those who will consume and receive the benefits of this, and let them know you’re aligned with an organization that takes all that into consideration.”Cost Concerns As with any large-scale implementation, taking on the CSF has raised questions of cost for many organizations. However, those involved with HITRUST and the CSF say cost can come in one of two ways.“There is cost of implementation and cost of failure,” Cox says. “Most people will look at the cost of implementation as part of their normal IT budget and they might look at it as an additional cost in their budget to follow a set of prescribed standards around security. Secondarily, there is the cost of not adopting a HITRUST. You don’t want to be the most famous person in healthcare for losing records, data and things like that. So there’s cost.” Data breaches can damage a provider’s reputation but also cause significant monetary losses. In a 2010 report, HITRUST found 108 entities that submitted breach reports to the Office for Civil Rights (OCR) spent a total of $843 billion on violations to HIPAA.Baylor’s Frederick says that a healthcare organization’s investment in HITRUST will depend on where it stands in terms of security. Those who start from scratch will see a big investment over a two to four year period, while those who have already begun to explore security will be able to adopt it faster with less of a financial commitment, he notes.Evolving the Right WayAmid cost concerns, Nutkis says that HITRUST’s CSF will continue to evolve on a frequent basis to address the changing industry. While the major CSF for 2012 comes out in December, there are several minor releases with revisions that are released during the rest of the year. Most importantly for HITRUST, the organization will make sure the evolution is justified, he adds.“One of the concerns people have is ensuring organizations like HITRUST don’t become overly aggressive in making changes that aren’t warranted,” Nutkis says. “All of the changes we make have a downstream impact on those that are complying and remediating to meet them. We’ve tried to make sure we can substantiate the changes.”