Recent headlines regarding security breaches at major healthcare companies have only stressed the need for companies to work harder at securing their environments. One way for companies to measure their programs effectiveness is through audited compliance with established security frameworks. Popular frameworks in one form or another, such as those from NIST and ISO, are the foundation of many security programs. But this choice of different frameworks, or the customization of one, has created a problem when companies try to compare their programs with business associate companies for compliance.
Currently in the healthcare industry there is no standard security framework. What this means is that companies that have selected a framework to follow and look to validate vendors and business associates (BA) against that standard for compliance are creating a burdensome environment. Vendors find themselves responding to long questionnaires and providing large amounts of documentation as auditors try to find the similarities between programs. This is an inefficient process and keeps many people busy in the audit process in lieu of working on other security initiatives.
One organization, HITRUST, is looking to become the healthcare industry standard security framework. Based primarily on the ISO international standard with a melding of the best of all the frameworks, and healthcare security as the focal point, they hope to give healthcare companies a standard that we can all agree on. Third party attestations of compliance would streamline the company to company audit process significantly. MRIoA is taking a serious deep dive evaluation of HITRUST compliance. Our hope is that an industry standard can be established someday for the betterment of healthcare security and the efficiencies in the audit process it would provide. I would love you hear your feedback on HITRUST and if your respective company is considering it. Please email me your thoughts at firstname.lastname@example.org.
Don Murphy, Jr. MS, CISSP
Vice President, Information Technology