Could HITRUST CSF be the PCI equivalent for the healthcare industry?

Solutionary Blog and Bloggers

Solutionary is an information security company. What does that mean? Simply put, we help businesses protect their assets, remain fully secure and safe online, and maintain and adhere to compliance regulations and standards. Solutionary's blog will be a place to learn about and discuss a wide variety of security and compliance topics. More information about Solutionary can be found here. To read the Solutionary blog comment policy and disclaimer, click here.

Solutionary Bloggers: 

Brad Curtis, Compliance Manager              Jon Heimerl, Director of Strategic Security
Mike Hrabik, Chief Technology Officer
Don Gray, Chief Security Strategist
Court Little, Director of Strategic Security
Phoram Mehta, Senior Security Consultant
Doug Picotte, Regional Technical Manager
Scott Simpson, Director, Security Consulting Services


Subscribe to our blog

Your email:

Posts by category

Posts by popularity

Solutionary Minds - Your Information Security Blog Source

Current Articles | RSS Feed RSS Feed

Could HITRUST CSF be the PCI equivalent for the healthcare industry?

Posted by Phoram Mehta on Mon, Feb 22, 2010 @ 09:42 AM
Share on Twitter Twitter | Share on Facebook Facebook | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon | Submit to Reddit reddit 
It's a known fact that information security for businesses is often "reactive" rather than being proactive. Compliance has historically been even worse. Releasing standards and regulations alone has had pretty much no effect. Firms don't take the necessary steps to achieve compliance until they, or someone from their own industry, get burned by the government and/or the industry starts penalizing organizations that don't meet the compliance requirements.

Take the case of PCI compliance - everybody was aware of credit card thefts and cybercrimes for a long time before Visa and other card brands created their own versions of card holder security program. Even after the program was in place for over three years, companies did not take it seriously until the card brands started levying fines and sanctions. Whether you hate it or love it, there is no doubt that PCI compliance has had a huge impact in raising the security baseline on all merchants accepting credit cards.

HIPAA, which technically has been in existence since 1996, did not really take hold until early 2000s. In fact, not many organizations cared to show compliance until April 2003, which was the deadline for getting fined. The problem with HIPAA though, was that it was too vague and open to interpretation of companies or 3rd party consultants offering HIPAA Audits. With the advent of HITECH in 2009, people finally feel that HIPAA got some teeth, as the updated guidelines are now more specific and the incentives and fines for meeting compliance are clearly laid out.

As for the specificity of HITECH, there still is a lot to be achieved, leading to the arrival of the HITRUST alliance in the picture. HITRUST's CSF is the only healthcare-centric security framework that can be used by organizations of all sizes. In addition to being an amazing aid for HITECH assessment, CSF can also be used for all leading industry standards like PCI, ISO, NIST, CMS, etc. They are constantly adding new state and federal regulations that can help healthcare organizations with their compliance requirements. In fact, just last week they announced the update for Massachusetts Data Protection Reg 201 CMR 17.00 for comments from the healthcare community.

One has to wonder if HITRUST can be that impetus, that final push. Will it be the PCI compliance of healthcare that will enable CISOs and security evangelists within U.S. healthcare facilities to obtain the support and commitment required from management to offer better protection to sensitive data in their control? Time will tell - and I, for one, am excited to find out.


Tags: , ,

COMMENTS

Currently, there are no comments. Be the first to post one!
Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics