A new healthcare auditing program is designed to help smaller physician practices ensure that their electronic healthcare records are safe and secure.

Developed by San Francisco-based nCircle and the Health Information Trust Alliance (HITRUST), the HITRUST Security and Configuration Auditing Service is designed to scan a provider’s IT systems for known vulnerabilities, identifying the highest risks in the network, and provide guidance on how to bring the systems up to date.

“It’s a simple scan that’s very low-cost and easy to set up,” said Abe Kleinfeld, nCircle’s CEO. “Most smaller (healthcare providers) haven’t been doing anything at all to protect their systems, and we’re reaching a point where that’s just not acceptable.”

The Web-based software is designed to bring healthcare providers into compliance with such industry standards as the federal HITECH Act and HIPAA, as well as establishing HITRUST certification against the Common Security Framework. HITRUST developed the CSF to provide healthcare organizations with a consolidated accountability standard.

“It starts with knowing where you are today,” said Dan Nitkis, HITRUST’s CEO. “Larger organizations already have the ability to know what they need (to affect compliance), but a lot of the smaller groups don’t know and don’t have the resources. They don’t know any better and they don’t know what they don’t know.”

“HITRUST developed the CSF in collaboration with healthcare, business, technology and information security leaders and in doing so consolidated requirements from the HITECH Act, HIPAA, PCI and NIST, effectively establishing an accountability standard for all U.S. healthcare organizations," said Steve Katz, president of Security Risk Solutions LLC, in a press release announcing the new service. "Now, introducing this scanning service significantly reduces the complexity of healthcare compliance. By creating this affordable service, HITRUST is helping accelerate the process of making secure electronic health records a reality.”

Among the beta testers for the auditing service was HealthCare Partners, a network of California-based physician practices. Leo Dittemore, the group’s director of IS security administration, said the group had used its own home-grown scanning services and other software, but realized it needed something more definitive.

“We know our system is attacked every day,” he said. “We also know that most break-ins happen because people don’t keep their systems up-to-date.”

“The vast majority of breaches occur through simple mistakes,” added Kleinfeld, who cited a Verizon study undertaken in 2007 that indicated 87 percent of all data breaches could have been avoided with reasonable security measures in place. “The level of sophistication in healthcare is incredible, which is why it’s so important to take a look at the best practices that are out there and to at least have a basic (auditing) system set up.”