Skip to content Skip to navigation

HITRUST Releases New Guidance for Healthcare Organizations to Assess Cybersecurity Preparedness

April 10, 2013
by John DeGaspari
| Reprints
HITRUST Releases New Guidance for Healthcare Organizations to Assess Cybersecurity Preparedness Rise in Cyber Threats Targeted at the Healthcare Industry Leads to Increased Industry Awareness

In response to heightened awareness and concerns about cyber threats, attacks and incidents, the Health Information Trust Alliance (HITRUST) announced today new guidance for healthcare organizations wanting to assess the state of their cybersecurity preparedness. The guidance identifies an appropriate subset of controls within the HITRUST Common Security Framework (CSF) that are most directly related to detecting and thwarting cyber-related breaches and allows organizations to assess against the cyber-specific controls and receive a snapshot of their cyber capabilities and readiness. 

“As predicted, HITRUST has seen a marked increase in the frequency and sophistication of cyber attacks targeted at healthcare organizations,” said Daniel Nutkis, chief executive officer, HITRUST. “What is raising concerns is the amount of personal health information misappropriated from health plans and providers that is for sale on the various hacker forums. As the sophistication and intensity of cyber attacks increases, HITRUST believes it is more critical than ever that healthcare organizations have the appropriate safeguards in place and a means by which to review their current level of preparedness.”

More than a year ago HITRUST established the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3). The HITRUST C3 provides cyber threat intelligence and incident coordination specific to healthcare organizations and acts as a vehicle for sharing cyber threat information between healthcare organizations and the government. The signing of the White House Cybersecurity Executive Order in February 2013 has added to the awareness and sensitivity of the risks associated with cyber threats and escalating need for cybersecurity preparedness, according to HITRUST.

The HITRUST Cybersecurity Working Group was established to review the CSF and ensure the controls fully incorporate best practices consistent with the various risk factors related to cybersecurity for healthcare organizations. Given the increasing volume, sophistication and risks associated with cyber attacks perpetrated on healthcare organizations and increased awareness by legislators and regulators, HITRUST believes there is real value in providing additional guidance to organizations wanting to review their current level of preparedness, according to the group.

With this guidance, organizations not yet assessing themselves against all the CSF controls will be able to focus immediately on the specific set of CSF controls that are highly related to cybersecurity. They will then be well positioned to complete a full CSF assessment in the future.

The working group will meet at HITRUST’s annual conference in May 2013 to receive industry comments and finalize the guidance. HITRUST does not expect significant changes to the guidance and is releasing the guidance in its current state so that organizations are not delayed in assessing their cybersecurity preparedness.  The working group is also responsible for coordinating the submission of HITRUST’s recommendations to the National Institute of Standards and Technology (NIST) relating to the development of a national Cybersecurity Framework as outlined in the Executive Order. 

Organizations can download a white paper published by HITRUST that describes a basic risk management framework (RMF) and details the HITRUST RMF. 

The new cybersecurity guidance is available for review via HITRUST Central.

Health IT Summit Series - Focus: CYBER-SECURITY

Get the latest information on Cyber-Security, and attend other valuable sessions at this two-day, intimate event bringing together C-level, physician, practice management and IT decision makers for strategy discussions, knowledge exchange, and one-on-one meetings.

Boston, June 23-24   |   Denver, July 12-13
Topics

News

USC’s Keck Medical Center Reports Ransomware Attack

September 26, 2016
The Los Angeles-based Keck Medical Center, part of the University of Southern California, has confirmed that two if its servers were hit with ransomware last month, leading to encrypted files that employees could not access.

Department of Justice Awards $8.8 Million in Grant Funding for PDMPs

September 26, 2016
In efforts to help states reduce prescription drug abuse and misuse, the U.S. Department of Justice announced it is providing close to $9 million in grants to 19 state states to help create, implement and enhance prescription drug monitoring programs (PDMPs).

Federal Leaders Release New Tools to Help Providers Better Leverage Health IT

September 26, 2016
President Barack Obama issued a message on Sept. 26 to kick off National Health IT Week, expressing optimism for where the industry stands today as well as hope for “reaching for the next frontier of innovation.”

Care New England Health System Will Pay $400,000 Settlement for Potential HIPAA Violations

September 26, 2016
Providence, R.I.-based Care New England Health System has agreed to pay $400,000 to settle potential HIPAA Privacy and Security Rules violations, stemming from a 2012 data breach at Woman and Infants Hospital of Rhode Island.

AMA Survey: Docs Bullish on Efficient Digital Health Tools

September 26, 2016
While overall physician optimism towards digital health is present across all ages, health IT tools need to be beneficial to clinical practice and not a burden, according to an American Medical Association (AMA) survey on digital health.

Survey: Cloud Technologies Helping Healthcare Organizations Improve Productivity, Efficiency

September 23, 2016
Ninety-five percent of current healthcare organization cloud infrastructure users are planning to increase their usage going forward, and among healthcare organizations not using cloud today, 58 percent of respondents said they are likely to do so in the next two years.

Study Finds Wide Variability in Effectiveness of CPOE Tools in Pediatric Hospitals

September 23, 2016
Researchers investigating the safety of CPOE systems at pediatric inpatient facilities found that while systems on average are able to intercept a majority of potential medication errors, their effectiveness varied widely among implementations.

Saint Francis Health System Acknowledges Breach, but Doesn’t Pay Ransom

September 22, 2016
Despite acknowledging that it had been the victim of a data breach involving ransomware earlier this month, the Tulsa, Okla.-based Saint Francis Health System decided not to act on the ransom demand, according to media reports.

Indian Health Service Awards $6.8 Million Contract to Avera Health for Telemedicine Services

September 22, 2016
Avera Health, a Sioux Falls, South Dakota-based health system will provide telemedicine services for seven hospitals and eight health centers within the Indian Health Service (IHS), as part of $6.8 million contract.

Provider Associations Laud Bipartisan, ACO-Focused Legislation

September 22, 2016
Four major healthcare professional associations on Thursday publicly expressed support for legislation aimed at modifying the Medicare Shared Savings Program for ACOs in order to ease providers’ concerns

AMIA Seeks Out Support for Health IT Safety Strategy, other Innovation Initiatives

September 22, 2016
The Bethesda, Md.-based American Medical Informatics Association (AMIA) took to Capitol Hill this week seeking Congressional support for a national health IT safety strategy, as well as to fund efforts such as the Precision Medicine and Cancer Moonshot Initiatives.

Dr. Mostashari Gives “Report from the Field” Inside Look on Aledade ACOs

September 21, 2016
Farzad Mostashari, M.D., founder of Aledade, a company focused on physician-led accountable care organizations (ACOs), co-published a report this week looking at the highs and lows of Medicare Shared Savings Program (MSSP) ACOs in light of recent performance results released by the government.

Dignity Health, Catholic Health Initiatives Collaborating on Precision Medicine Program

September 21, 2016
San Francisco-based Dignity Health and the Englewood, Colo.-based Catholic Health Initiatives (CHI) are collaborating on a large, community-based precision medicine program that could be available to approximately 12 million patients annually.

Walgreens Adds Teledermatology to its Digital Health Platform

September 21, 2016
Walgreens has developed a skin care platform that will be available digitally through Walgreens.com and the Walgreens mobile app and includes a connection to teledermatology services.

Study: 30 Percent of Patient Data Breaches Involve Business Associates

September 21, 2016
So far in 2016, third-party data breaches have impacted 4.5 million patients, indicating that third-party business associates pose an alarming risk to patient data, according to a new report from Protenus and DataBreaches.net.

Pages