A new certification program could make it easier for healthcare organizations to decide whether their IT security products meet their compliance needs.The Health Information Trust Alliance--HITRUST--which was launched in 2007 by an alliance of healthcare professional service and IT vendors, announced today a program to evaluate and certify IT security products used in healthcare settings.
The new HITRUST certification program is aimed at helping healthcare organizations in their vetting process to determine whether IT security products comply with HIPAA criteria, as well as HITRUST's own Common Security Framework, which is free and was released in March. HITRUST's CSF is the first IT security framework developed specifically for healthcare information.
When healthcare organizations are selecting information security products ranging from firewalls to anti-virus software, there's a great deal of uncertainty and confusion whether those products comply to HIPAA and other security requirements important to the protection of personal health data, said Dan Nutkis, CEO of HITRUST in an interview with InformationWeek. The HITRUST certification will help, he said.
"Organizations are struggling to identify products" that meet security requirements for healthcare environments, which aren't as stringent as some classified government agencies, but are more intense than some workplaces and businesses, he said. "The local florist doesn't need the same level of security, except for credit cards," he said.
In a statement, HITRUST said the new program will be coordinated by a steering committee - led by ICSA Labs, McAfee, CA, Cisco, nCircle, NSS Labs, RSA, the security division of EMC, Symantec, Trend Micro and VeriSign - "with guidance by an advisory committee of security professionals from health plans, providers, pharmacies, data exchanges and service providers."
Evaluations for the certification will be done by independent third parties, not HITRUST, said Nutkis, who estimates it will cost vendors between $5,000 and $7,500 for the evaluation. "The goal was not to make it too costly," and inhibitive to smaller vendors seeking certification, he said.
InformationWeek has published an in-depth report on e-health and the federal stimulus package. Download the report here (registration required).