Health IT group to offer security certification to vendors

The Health Information Trust Alliance (HITRUST) announced today the creation of a program to certify IT security products against its Common Security Framework for information.

The CSF Ready program will be guided by a steering committee of major IT security companies and labs. It will develop criteria for independent evaluation of health IT security products and services that will enable compliance not only with the framework but also with federal regulations for handling and securing the sensitive information.

The program comes as the government is preparing to invest $20 billion in the development of a health IT infrastructure and is preparing standards for the secure exchange of health information, as well as new stiffer regulations to ensure the privacy of that data.

The Health Information Technology for Economic and Clinical Health Act, or HITECH, was passed this as part of the American Reinvestment and Recovery Act. As a result of financial incentives and technology development programs included in the legislation, the Congressional Budget Office has estimated that up to 90 percent of doctors and 70 percent of hospitals will be using comprehensive electronic health records within the next decade.

“With security becoming a pillar of every organization, the industry warrants attention and criteria directed at information security products that are applicable to their unique needs,” Stuart McClure, vice president of operations and strategy for McAfee’s Risk and Compliance Business Unit, said in announcing CSF Ready. The certification program is intended to give the industry a starting point in sourcing security technology.

Under the HITECH Act, an Office of National Coordinator for Health Information Technology in the Health and Human Services Department was designated to create a nationwide health IT infrastructure. It also is supposed to develop standards for the exchange of data by the end of the year, and establish a voluntary certification program that will be conducted by the National Institute of Standards and Technology.

In addition to grants and loans to help put the health IT infrastructure into place, physicians and hospitals will receive financial incentives through Medicare and Medicaid to adopt and use electronic health records. Physicians will be eligible for $40,000 to $65,000 for using the technology, and hospitals will be eligible for several million dollars. The incentives will continue for several years and will be phased out over time.

At the same time, Medicare payments will be reduced for providers that do not use certified electronic health records.

HITECH also requires notification of breaches of unencrypted health information. New stringent privacy requirements will require patient authorization for the release and use of their information and will let patients request audit trails of all disclosures of their data. It also will shut down an emerging secondary market for the sale and mining of patient health information without the patient’s authorization.

The HITRUST CSF Ready program is intended to give the health care industry a basis for evaluating products that will enable compliance with these and other regulations. The program will incorporate existing security certifications that are in line with its own framework, easing the task for vendors obtaining multiple independent certifications.

“The program’s goal is to establish criteria commensurate with the level of risk associated with protecting personal health information,” the alliance said in its announcement.

The CSF Ready steering committee led by co-chairs ICSA Labs and McAfee, and will include HITRUST member companies CA, Cisco Systems, nCircle, NSS Labs, RSA, the security division of EMC, Symantec, Trend Micro and VeriSign.