New Guidance Designed to Bring Structure, Detail, and Clarity to Healthcare Information Security

March 4, 2009

The Common Security Framework, a Web-based set of principles that will help companies abide by federal, private, and security standards in the use of EHR and related data, was unveiled Monday.

The Common Security Framework, a Web-based set of principles that will help companies abide by federal, private, and security standards in the use of electronic health records (EHR) and related data, was unveiled Monday by a group of more than 50 participating health industry companies.

Randall Spratt, CIO and executive vice president of McKesson, said that the new approach, created by the Health Information Trust Alliance, also known as HITRUST, will “accelerate adoption of new technologies to improve health-care safety and efficiency, while safeguarding patient privacy.”

Supporters of the new framework said that the program can be used by both small and large health corporations to routinely put information technology (IT) security programs in place and that it will also allow participating groups to keep up to date with industry best practices.

“Until now, the lack of widely accepted information security standards has kept many providers on the healthcare IT sidelines,” Spratt said.

The new framework is also intended to help participants improve already-existing internal IT security systems. Those who use the program will be able to stay alert for possible security breaches and unauthorized use of private information. The HITRUST Alliance has been under development for about two years, initiated from concerns from large corporations that an overhaul of health care data was needed to protect and ensure security and privacy. In addition, according to the article, fears that smaller corporations would be unknowledgeable or unable to move forward also spurred the alliance. According to the Health Information Trust, the Common Security Framework:

- Leverages existing, globally recognized standards

- Scales according to type, size and complexity of an implementing organization

- Provides prescriptive requirements to ensure clarity

- Follows a risk-based approach offering multiple levels of implementation requirements determined by risks and thresholds

- Allows for the adoption of alternate controls when necessary

- Evolves according to user input and changing conditions in the healthcare industry and regulatory environment