The
Called HITRUST, the alliance last spring unveiled its Common Security Framework for electronic health information. The framework is an attempt to standardize health IT security best practices, standards and regulations in a single certifiable tool. The framework includes a best-practices security implementation manual, a cross-referenced standards and regulations matrix, and a readiness assessment toolkit.
But information security professionals and other purchasers often are confused as to which functions a particular product supports. The new certification program is an effort to classify security products by functionality to help providers and payers better understand the products that will help organizations fix the security gaps they have, says Daniel Nutkis, CEO of HITRUST. Criteria will focus on helping organizations determine a product's capabilities, functionality, effectiveness and support of security practices.
The alliance will not become a certifier, but will work with existing information security certifiers and vendors, and providers and payers to develop a certification program that other entities can operate, Nutkis says. "We're adopting criteria and processes by which third-parties can certify products."
A steering committee of security vendors and certifiers will develop the program, assisted by an advisory firm of health care provider and payer organizations. Steering committee members include certifying firms ICSA Labs and NSS Labs, and vendors McAfee, CA, Cisco Systems, nCircle, RSA, the security division of EMC, Symantec, Trend Micro and VeriSign.
Certification criteria will focus on the needs for securing protected health information.
Certified products would receive the "CSF Ready" designation to enable organizations to more quickly assess that a product or service does what is expected and meets the requirements of HITRUST's Common Security Framework.
HITRUST is seeking additional vendors and industry stakeholders to participate in the initiative. More information is available at
