Skip to content Skip to navigation

HITRUST Releases New Guidance for Healthcare Organizations to Assess Cybersecurity Preparedness

April 10, 2013
by John DeGaspari
| Reprints
HITRUST Releases New Guidance for Healthcare Organizations to Assess Cybersecurity Preparedness Rise in Cyber Threats Targeted at the Healthcare Industry Leads to Increased Industry Awareness

In response to heightened awareness and concerns about cyber threats, attacks and incidents, the Health Information Trust Alliance (HITRUST) announced today new guidance for healthcare organizations wanting to assess the state of their cybersecurity preparedness. The guidance identifies an appropriate subset of controls within the HITRUST Common Security Framework (CSF) that are most directly related to detecting and thwarting cyber-related breaches and allows organizations to assess against the cyber-specific controls and receive a snapshot of their cyber capabilities and readiness. 

“As predicted, HITRUST has seen a marked increase in the frequency and sophistication of cyber attacks targeted at healthcare organizations,” said Daniel Nutkis, chief executive officer, HITRUST. “What is raising concerns is the amount of personal health information misappropriated from health plans and providers that is for sale on the various hacker forums. As the sophistication and intensity of cyber attacks increases, HITRUST believes it is more critical than ever that healthcare organizations have the appropriate safeguards in place and a means by which to review their current level of preparedness.”

More than a year ago HITRUST established the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3). The HITRUST C3 provides cyber threat intelligence and incident coordination specific to healthcare organizations and acts as a vehicle for sharing cyber threat information between healthcare organizations and the government. The signing of the White House Cybersecurity Executive Order in February 2013 has added to the awareness and sensitivity of the risks associated with cyber threats and escalating need for cybersecurity preparedness, according to HITRUST.

The HITRUST Cybersecurity Working Group was established to review the CSF and ensure the controls fully incorporate best practices consistent with the various risk factors related to cybersecurity for healthcare organizations. Given the increasing volume, sophistication and risks associated with cyber attacks perpetrated on healthcare organizations and increased awareness by legislators and regulators, HITRUST believes there is real value in providing additional guidance to organizations wanting to review their current level of preparedness, according to the group.

With this guidance, organizations not yet assessing themselves against all the CSF controls will be able to focus immediately on the specific set of CSF controls that are highly related to cybersecurity. They will then be well positioned to complete a full CSF assessment in the future.

The working group will meet at HITRUST’s annual conference in May 2013 to receive industry comments and finalize the guidance. HITRUST does not expect significant changes to the guidance and is releasing the guidance in its current state so that organizations are not delayed in assessing their cybersecurity preparedness.  The working group is also responsible for coordinating the submission of HITRUST’s recommendations to the National Institute of Standards and Technology (NIST) relating to the development of a national Cybersecurity Framework as outlined in the Executive Order. 

Organizations can download a white paper published by HITRUST that describes a basic risk management framework (RMF) and details the HITRUST RMF. 

The new cybersecurity guidance is available for review via HITRUST Central.

Topics

News

AHA Report: ACA Repeal without a Replacement Could Cost Hospitals Billions

A new report from the American Hospital Association (AHA) and the Federal of American Hospitals (FAH) outlines the impact a potential repeal of the Affordable Care Act (ACA) would have on hospitals and health systems.

Mount Sinai Establishes 3D Printing Services for Clinicians and Researchers

New York City-based Mount Sinai Health System has developed the Medical Modeling Core, a collaboration led by the Department of Neurosurgery, where clinicians can confer and order 3D models for their cases.

U.S. Senate to Continue Consideration of 21st Century Cures Wednesday

By a vote of 85 to 13, the U.S. Senate on Monday invoked cloture for H.R. 34, the 21st Century Cures Act. The Senate resumed post-cloture consideration of the bill on Tuesday and and will now resume on Wednesday, with a vote likely at 2 pm.

The New Hampshire Health Information Organization Connects to VA

New Hampshire Health Information Organization (NHHIO), the state-wide health information exchange (HIE) organization, announced that the organization is now able to connect with the Veterans Administration (VA), enabling the exchange of healthcare information with hospitals and other healthcare providers in the state who also provide care to veterans outside of the VA.

NSF Awards $76M to Support Interdisciplinary Cybersecurity Research

The National Science Foundation (NSF) has announced $76 million in research grants through its Secure and Trustworthy Cyberspace (SaTC) program to study the scientific, engineering and socio-technical aspects of cybersecurity.

AMA Members: “Tom Price’s Positions Inconsistent with Our Policies”

Nearly 500 delegates and members of the AMA have written an open letter to the association’s Board of Trustees expressing concern and disappointment that the AMA has supported President-elect Donald Trump’s selection as Tom Price, M.D., for HHS Secretary.