Skip Links

Secure Electronic Medical Records: Fact or Fiction?

By Bill Brenner, CSO
March 03, 2009 01:00 PM ET

CSO - Healthcare organizations still nursing the scars of HIPAA compliance and data breaches have gotten behind a new security framework to address potential headaches brought on by the American Recovery and Reinvestment Act of 2009.

Members of the Health Information Trust Alliance (HITRUST) gathered in San Francisco Monday to unveil the Common Security Framework (CSF), the first IT security framework designed specifically for healthcare data loss prevention.

CSF will be delivered as a service through a new online community called HITRUST Central. HITRUST CSF version 2009 and HITRUST Central are available starting at US$1,875, the organization said. The cost will be higher for larger organizations.

Work on CSF began 18 months ago in response to HIPAA security challenges and the growing wave of data breaches in the health sector and elsewhere. [See related content: 4 Years of Data Breaches]

But the need for a health sector-based set of security standards was amplified by the recent passage of President Obama's economic stimulus package, which includes federal funds for the widespread deployment of electronic medical records. [See related content: Security Challenges of Electronic Medical Records]

Russell Pierce, CISO at CVS Caremark, said the push to digitize medical records is fraught with potential security problems, making it crucial that health organizations get behind a more specific set of security guidelines.

"We've seen a lot of difficulty in the health sector in terms of how one evaluates the security of third parties, especially when it comes to what third parties are doing to satisfy HIPAA's security requirements," Pierce said in a phone interview. "There have been some significant inconsistencies on that front."

One problem is HIPAA itself, which many security practitioners see as more a list of suggestions than a specific set of requirements. The law has been open to interpretation, and HITRUST hopes its CSF will put more organizations on the same page in terms of what must be done to improve security. The move is especially timely, Pierce said, because the healthcare sector is going to see a new burst of activity in response to Obama's call for more digitized records.

Pierce said the CSF is designed to scale. In other words, the framework is designed to get organizations of varying size on the same security page, whether it's private practices, hospitals and health plan providers or pharmacies, pharmaceutical manufacturers, data exchanges and clearing houses.

"The CSF will also help in determining compliance against the myriad of business partner requirements as well as the numerous evolving state and federal regulations and industry standards," HITRUST said in a statement. "The CSF cross-references and harmonizes regulations such as The American Recovery and Reinvestment Act of 2009 and the Protection of Personal Information of Residents of the Commonwealth of Massachusetts as well as nationally and globally recognized standards such as ISO, NIST, COBIT, HIPAA and PCI."

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News