HITRUST unveils framework for healthcare data loss prevention
The Health Information Trust Alliance (HITRUST) has unveiled the Common Security Framework (CSF), an IT-security framework designed for healthcare data loss prevention.

The need for a healthcare sector-based set of security standards has been amplified by the recent passage of President Barack Obama's economic stimulus package, which includes federal funds for the widespread deployment of EMRs. HITRUST said CSF can aid in determining compliance against the myriad of business partner requirements, state and federal regulations and industry standards.

According to Network World, one problem with HIPAA is that many security practitioners see it as more a list of suggestions than a specific set of requirements, making the standard open to interpretation. HITRUST said that it hopes its CSF will put more organizations on the same page in terms of what must be done to improve security.

The CSF will be available as a service through the new online community, HITRUST Central. The online service also offers professional networks to share comprehensive CSF knowledge and best practices through forums and exchanges. It also includes blogs and downloadable documentation and training materials.

The HITRUST CSF version 2009 and HITRUST Central are available immediately, starting at $1,875 for a five-user license and increasing depending upon organization size.

Practical Applications

A few examples of how the HITRUST CSF could be applied throughout the healthcare system include:
  • Hospitals and providers can use the framework to determine how physicians gain secure and timely access to patient records both onsite and remotely;
  • Health plan providers can use the framework to securely exchange patient data with physicians, as well as provide and protect online access to patient medical records and financial data;
  • Data exchanges can use the framework to standardize expectations among many different business partners--each with their own set of rules and regulations concerning data security--on a single certification benchmark and reporting process;
    Pharmacies will use the framework as a tool to align expectations and practices around common security controls;
  • Device manufacturers will use the framework to level set expectations with their hospital and healthcare provider customers to improve the way security controls are implemented for their medical systems;
  • Technology vendors providing Health Information Management and EMR systems can use the framework to design standardized security capabilities into their products to protect health information accessed on those systems; and
  • Service providers and professional services firms can use the framework to help their clients adopt security best practices that are tailored for the healthcare industry; for example as a basis for services such as security assessments, policy definition, solution implementation and certifications.