In response to these needs, HITRUST has established the CSF Ready Program to develop criteria and provide consistency for how information security products and services are evaluated; thus, reducing the complexity and aiding in the procurement process for both large and small organizations faced with identifying and implementing security solutions.
"Many healthcare organizations are hampered by IT staff resources and don't have the time to research all the security solution options available for protecting electronic health records and meeting HIPAA regulations," said Mick Coady, worldwide vice president, in CA, Inc.'s Security Management business. "The HITRUST CSF Ready Program aims to ease that due diligence burden and give the healthcare industry a starting point for sourcing the security technology that will help reduce risk, improve security and meet compliance mandates."
Industry leaders from the security assurance and information security communities are participating in the program and are committed to providing the necessary guidance and resources to support healthcare organizations in making informed purchasing decisions. The program will be coordinated by a steering committee led by co-chairs ICSA Labs (NYSE: VZ) and McAfee (NYSE: MFE) and founding members CA (NASDAQ: CA), Cisco Systems (NASDAQ: CSCO), nCircle, NSS Labs, RSA, The Security Division of EMC (NYSE: EMC), Symantec (NASDAQ: SYMC), Trend Micro (TSE: 4704) and VeriSign (NASDAQ: VRSN). In addition, an advisory committee, consisting of security professionals representing healthcare organizations, has been established to provide guidance and interact with the other committees. The program is seeking additional participants from the security assurance, information security and healthcare communities to ensure that input from a variety of organizations and the industry overall is considered.
"With security becoming a pillar of every healthcare organization, the industry warrants attention and criteria directed at information security products that are applicable to their unique needs," said Stuart McClure, vice president of operations and strategy for McAfee's Risk and Compliance Business Unit. "The success of an organization's information security efforts should not be deterred by a complicated evaluation and selection process. It is this group's intent to provide acceptable capability guidance for organizations of all sizes so they can achieve a higher level of confidence that a product does what it claims it can do for them."
Efforts of the steering committee and sub-committees will be centered on the creation of criteria focused to aid organizations in determining a product's capabilities, functionality, effectiveness and support of security practices, and aid in HITRUST CSF compliance. The committees will take into account both the functional and technical requirements for protecting personal health information.
The criteria developed will be the basis for which products or services are evaluated by independent entities to achieve CSF Ready status. The CSF Ready designation will enable organizations to more quickly assess that a product or service does what is expected of it and meets the requirements of the CSF.
The output from the CSF Ready Program is not intended to replace other high-security certifications, but is meant to establish an alternative for organizations trying to streamline compliance costs while at the same time working to comply with the numerous evolving state and federal regulations and industry standards. The program's goal is to establish criteria commensurate with the level of risk associated with protecting personal health information. As part of this effort, the committee members will identify and leverage acceptable capabilities and existing independent certifications that meet or exceed them. Thus, products already obtaining various certifications will be able to more easily obtain CSF Ready status, as well as allow those obtaining the CSF Ready designation to have a stepping stone to other high-security certifications.
Continuing with its goal to provide actionable guidance and resources to healthcare organizations, HITRUST is also launching a beta version of the HITRUST CSF Products and Services Guide, an online resource that allows IT security and compliance professionals to search for solutions based on the CSF. Technology and services providers can list their solutions and provide detailed information on how their solutions specifically address and map to multiple CSF controls.
Healthcare organizations can then search the guide based on CSF control, product, service or company name.
The guide is available through HITRUST Central (HITRUSTcentral.net), the online community specifically for healthcare information security professionals. Access to HITRUST Central is available at no charge to qualified healthcare organizations.
"It has been HITRUST's goal from the beginning to enable and lead organizations in protecting health information, and as the healthcare industry matures and takes security more seriously we are positioned to respond with appropriate guidance and resources," said Daniel Nutkis, Chief Executive Officer, HITRUST. "Given the criticality of selecting solutions, the CSF Ready certification will be a vital part of how products and services will be selected in the future."
Visit HITRUSTalliance.net/csfready for more information on the CSF Ready Program and to get involved. Visit HITRUSTalliance.net/guide for information on accessing the guide and listing a solution.
About HITRUST The Health Information Trust Alliance (HITRUST) was born out of the belief that information security should be a core pillar or, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.