Health IT group to offer security certification to vendors

The Health Information Trust Alliance will certify security products against its Common Security Framework

The Health Information Trust Alliance (HITRUST) announced today the creation of a program to certify IT security products against its Common Security Framework for information.

The CSF Ready program will be guided by a steering committee of major IT security companies and labs. It will develop criteria for independent evaluation of health IT security products and services that will enable compliance not only with the framework but also with federal regulations for handling and securing the sensitive information.

The program comes as the government is preparing to invest $20 billion in the development of a health IT infrastructure and is preparing standards for the secure exchange of health information, as well as new stiffer regulations to ensure the privacy of that data.

The Health Information Technology for Economic and Clinical Health Act, or HITECH, was passed this as part of the American Reinvestment and Recovery Act. As a result of financial incentives and technology development programs included in the legislation, the Congressional Budget Office has estimated that up to 90 percent of doctors and 70 percent of hospitals will be using comprehensive electronic health records within the next decade.

“With security becoming a pillar of every organization, the industry warrants attention and criteria directed at information security products that are applicable to their unique needs,” Stuart McClure, vice president of operations and strategy for McAfee’s Risk and Compliance Business Unit, said in announcing CSF Ready. The certification program is intended to give the industry a starting point in sourcing security technology.

Under the HITECH Act, an Office of National Coordinator for Health Information Technology in the Health and Human Services Department was designated to create a nationwide health IT infrastructure. It also is supposed to develop standards for the exchange of data by the end of the year, and establish a voluntary certification program that will be conducted by the National Institute of Standards and Technology.

In addition to grants and loans to help put the health IT infrastructure into place, physicians and hospitals will receive financial incentives through Medicare and Medicaid to adopt and use electronic health records. Physicians will be eligible for $40,000 to $65,000 for using the technology, and hospitals will be eligible for several million dollars. The incentives will continue for several years and will be phased out over time.

At the same time, Medicare payments will be reduced for providers that do not use certified electronic health records.

HITECH also requires notification of breaches of unencrypted health information. New stringent privacy requirements will require patient authorization for the release and use of their information and will let patients request audit trails of all disclosures of their data. It also will shut down an emerging secondary market for the sale and mining of patient health information without the patient’s authorization.

The HITRUST CSF Ready program is intended to give the health care industry a basis for evaluating products that will enable compliance with these and other regulations. The program will incorporate existing security certifications that are in line with its own framework, easing the task for vendors obtaining multiple independent certifications.

“The program’s goal is to establish criteria commensurate with the level of risk associated with protecting personal health information,” the alliance said in its announcement.

The CSF Ready steering committee led by co-chairs ICSA Labs and McAfee, and will include HITRUST member companies CA, Cisco Systems, nCircle, NSS Labs, RSA, the security division of EMC, Symantec, Trend Micro and VeriSign.

About the Author

William Jackson is a Maryland-based freelance writer.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group