Consortium Releases Guidance on Managing Cybersecurity

The Health Information Trust Alliance, a Frisco, Texas-based industry consortium focusing on healthcare information security, has issued new guidance to help provider and payer organizations use its Common Security Framework (CSF) to assess their state of cybersecurity preparedness. The group will offer a time for industry comments on the guidance at its annual conference May 20-23 in Dallas before releasing a finalized version.

It expedited the release of the guidance, however, as a result of the White House Cybersecurity Executive Order signed in February that called for healthcare organizations to improve their cybersecurity measures. As of late, dozens of security attacks on healthcare organizations have been reported across the country.

“HITRUST has seen a marked increase in the frequency and sophistication of cyber attacks targeted at healthcare organizations,” says Daniel Nutkis, the group’s CEO. “As the sophistication and intensity of the attacks increases, HITRUST believes it is more critical than ever that healthcare organizations have the appropriate safeguards in place and a means by which to review their current level of preparedness.”

HITRUST’s recent guidance is designed to enable healthcare organizations to hone in on the specific set of controls within its CSF that focus on cybersecurity. It breaks down the organization’s 135 CSF controls into three categories based on their assessed relevance to cybersecurity threats. The controls are also grouped into their specific functions, such as access control polices, technical compliance checking, controls against mobile code, electronic messaging, electronic commerce services, online transactions, administrator and operator logs, fault logging, security requirements analysis and specification, and reporting security weaknesses.

HITRUST’s Cybersecurity Working Group reviewed the organization’s CSF to create the guidance for the industry, and plans to submit its recommendations for a healthcare cybersecurity framework and related set of best practices to the National Institute of Standards and Technology as part of the Executive Order.

“Organizations should note that any security control framework must be implemented fully—or as much as it can be tailored by the organization--in order to provide an acceptable reduction in risk,” according to the guidance.