"As predicted, HITRUST has seen a marked increase in the frequency and sophistication of cyber attacks targeted at healthcare organizations," said Daniel Nutkis, chief executive officer, HITRUST. "What is raising concerns is the amount of personal health information misappropriated from health plans and providers that is for sale on the various hacker forums. As the sophistication and intensity of cyber attacks increases, HITRUST believes it is more critical than ever that healthcare organizations have the appropriate safeguards in place and a means by which to review their current level of preparedness."
More than a year ago HITRUST recognized the need to address growing concerns about the state of cybersecurity within the healthcare industry and established the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3). The HITRUST C3 provides cyber threat intelligence and incident coordination specific to healthcare organizations and acts as a vehicle for sharing cyber threat information between healthcare organizations and the government. The signing of the White House Cybersecurity Executive Order in February 2013 has only added to the awareness and sensitivity of the risks associated with cyber threats and escalating need for cybersecurity preparedness.
The HITRUST Cybersecurity Working Group was established to review the CSF and ensure the controls fully incorporate best practices consistent with the various risk factors related to cybersecurity for healthcare organizations. Given the increasing volume, sophistication and risks associated with cyber attacks perpetrated on healthcare organizations and increased awareness by legislators and regulators, HITRUST believes there is real value in providing additional guidance to organizations wanting to review their current level of preparedness.
"HITRUST remains committed to providing organizations with the resources and tools with which they can establish a comprehensive approach to risk management, encompassing not only compliance-related functions, but expanding to other areas of risk such as cybersecurity," said Dr. Bryan Cline, vice president, CSF development and implementation, HITRUST. "It is important for the healthcare industry that overall risk management and safety are not compromised in the sole pursuit of complying with regulations and standards."
With this guidance, organizations not yet assessing themselves against all the CSF controls will be able to focus immediately on the specific set of CSF controls that are highly related to cybersecurity. They will then be well positioned to complete a full CSF assessment in the future.
The working group will meet at HITRUST's annual conference in May 2013 to receive industry comments and finalize the guidance. HITRUST does not expect significant changes to the guidance and is releasing the guidance in its current state so that organizations are not delayed in assessing their cybersecurity preparedness.
The working group is also responsible for coordinating the submission of HITRUST's recommendations to the National Institute of Standards and Technology (NIST) relating to the development of a national Cybersecurity Framework as outlined in the Executive Order.
HITRUST is committed to ensuring the CSF incorporates relevant standards, regulations and guidance and will update the CSF to address the NIST Cybersecurity Framework--once released--to continue providing a single risk management framework for healthcare. It is important that organizations incorporate cybersecurity requirements as part of their overall information protection risk management strategy and not as an independent set of requirements. Organizations can download a white paper published by HITRUST that describes a basic risk management framework (RMF) and details the HITRUST RMF.
The new cybersecurity guidance is available for review via HITRUST Central.
The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.