HIMSS, largely regarded as "the conference" for Healthcare IT, had HITECH front, back and center on its agenda. The recently held CIO Healthcare summit also had HITECH as its keynote presentation. (Click here to check out the presentation on "Monitoring for Security, Privacy, and Compliance- And Doing it Proactively" by Bryan McDowell Enterprise Security Architect at Stanford University Hospitals and Clinics, along with Don Gray, Chief Security Strategist at Solutionary).

The discussion has shifted from ‘What is HITECH?' to ‘How to comply' type questions. If your organization is still struggling to understand the legislation and its applicability, there are hundreds of resources on the web that can give you a fairly decent idea of what it really means to you as an individual provider and as a hospital/healthcare facility. However, most folks are trying to find the best way to earn a piece of the $34 billion stimulus to be awarded under the HITECH Act to those firms that can show that they are "meaningful users" of "Certified EHR Technology" starting as early as calendar year 2011.

The Interim Final Rule released by HHS on January 13, 2010 clarified the much anticipated regulations on establishing the requirements for eligible providers to earn Medicare and Medicaid electronic health record (EHR) incentives by demonstrating that they are "meaningful users" of Certified EHR Technology.

There has also been guidance on how an organization gets their EHR certified and how to address all the functional as well as privacy and security requirements. These requirements get very specific in asking for a certain minimum standards of security, but leave the implementation methodology for a specific certification criterion up to the organization.

For example, the general encryption standards requires that "a symmetric 128 bit fixed-block cipher algorithm capable of using a 128, 192, or 256 bit encryption key must be used (e.g., FIPS 197 Advanced Encryption Standard, (AES), Nov 2001)." However, whether the organization should use FDE (Full Disk Encryption) or FFE (File and Folder Encryption) is up to them and the choice of algorithms (AES 128, 192, or 256 or Blowfish 128+) is also the organizations decision.

The privacy and security requirements also address:

1. General encryption and decryption of electronic health information
2. Encryption and decryption of electronic health information for exchange
3. Record actions related to electronic health information (i.e., audit log)
4. Verification that electronic health information has not been altered in transit
5. Cross-enterprise authentication
6. Record treatment, payment and health care operations disclosures

Now, the big question is, how to assess if the current controls are sufficient (most likely they aren't) or not? The bigger question is how to get and show compliance in a manner that is most cost efficient? This certainly is the question that I believe many CIOs and CISOs with a vision and strategy must be thinking about. Based on what I have seen out there, all I can say is, Have you looked at HITRUST CSF?

In response to these inadequacies, governments and private organizations have created myriad standards and regulations with which businesses must comply. In the last decade alone, we've seen the creation of SOX, PCI, a number of state regulations, and now HITECH for protecting sensitive information. Regardless of whether yours is a public or a private company, local, regional, national, or multinational, you probably have to go through at least a few audits every year.

One common thread when undergoing an audit is the scramble to collect - and on most occasions, generate - documentation and evidence required to prove compliance. The audit team gathers whatever they can and somehow submits it to the auditors/assessors. The most challenging part is that this happens during the next audit and the next audit after that - it really is a never-ending cycle.

Compliance management is a well known problem; there is no silver bullet. An effective and efficient compliance management solution requires the following three components to work harmoniously: process, people, and technology.

Process: To change an audit from an unpleasant experience to something that's part of "normal" operations, create a business process for compliance management. With senior management support as its key prerequisite, a compliance management program that is aligned with clearly defined objectives can be very effective, especially when the right combination of people and technology is deployed to execute the program.

People: Regardless of whether you have qualified (and available) internal staff, or if you choose to partner with consulting firms, you need resources that have established expertise in the area. In the short term you can get help performing pre-assessment and associated remediation, and in the long term you are able to integrate the requirements into the compliance management and information security programs, or create one if one doesn't exist. Which ever way you decide to proceed, the end result should be to have a competent team of individuals responsible for managing and maintaining compliance.

Technology: It's a shame that there really aren't enough solutions in the market that can help organizations with their overall compliance management programs. Those that are available are limited to some parts of technical compliance, or not as widely known; hence, many companies are still using Excel spreadsheets. Simply stated, organizations need a central point or portal that can be used to collect status responses for all applicable requirements, along with required documents and evidence needed to prove compliance. It would be even better if the tool included a mapping of requirements across all applicable regulations and standards. The idea is to automate as much of this process as possible so that the audit team can obtain all required information from one location during an audit.

Bottom line - if an organization wants to get away from the chaos that an audit creates, they must commit to putting together a compliance management program built on a process with clear objectives, a competent team with expert support, and the right automation tool with comprehensive and flexible coverage.

Take the case of PCI compliance - everybody was aware of credit card thefts and cybercrimes for a long time before Visa and other card brands created their own versions of card holder security program. Even after the program was in place for over three years, companies did not take it seriously until the card brands started levying fines and sanctions. Whether you hate it or love it, there is no doubt that PCI compliance has had a huge impact in raising the security baseline on all merchants accepting credit cards.

HIPAA, which technically has been in existence since 1996, did not really take hold until early 2000s. In fact, not many organizations cared to show compliance until April 2003, which was the deadline for getting fined. The problem with HIPAA though, was that it was too vague and open to interpretation of companies or 3rd party consultants offering HIPAA Audits. With the advent of HITECH in 2009, people finally feel that HIPAA got some teeth, as the updated guidelines are now more specific and the incentives and fines for meeting compliance are clearly laid out.

As for the specificity of HITECH, there still is a lot to be achieved, leading to the arrival of the HITRUST alliance in the picture. HITRUST's CSF is the only healthcare-centric security framework that can be used by organizations of all sizes. In addition to being an amazing aid for HITECH assessment, CSF can also be used for all leading industry standards like PCI, ISO, NIST, CMS, etc. They are constantly adding new state and federal regulations that can help healthcare organizations with their compliance requirements. In fact, just last week they announced the update for Massachusetts Data Protection Reg 201 CMR 17.00 for comments from the healthcare community.

One has to wonder if HITRUST can be that impetus, that final push. Will it be the PCI compliance of healthcare that will enable CISOs and security evangelists within U.S. healthcare facilities to obtain the support and commitment required from management to offer better protection to sensitive data in their control? Time will tell - and I, for one, am excited to find out.