The Health Information Trust Alliance (HITRUST) announced its plans to support the healthcare industry in 2011 and beyond with initiatives aimed at maintaining the comprehensiveness and relevance of the Common Security Framework (CSF) and CSF Assurance program.

HITRUST has identified a number of key areas, including cloud computing, data protection, health information exchanges (HIEs), mobile devices and authentication management, that it will focus on in 2011, in addition to making necessary updates relating to relevant federal and state regulations and security standards.

These updates and enhancements will influence not only the CSF and other HITRUST programs, but also the guidance offered to the industry, government agencies, software developers and hardware manufacturers. HITRUST will also work to ensure the CSF is being adopted by the entire industry with an emphasis on outpatient, long-term, ambulatory and home health provider organizations.

"From HITRUST's inception, Humana has helped shape and drive its vision to meet a critical need with a comprehensive framework that enables any organization to meet evolving security standards and regulations," said Jon Moore, chief information security officer, Humana Inc. "In just four years, HITRUST has enabled the healthcare industry's broad adoption of the CSF. We look forward to contributing to future programs that drive greater efficiencies in healthcare information security."

The CSF remains the de facto standard for information security in the healthcare industry, and HITRUST has seen during the past 12 months continued adoption of the CSF across the entire industry with adoption by hospitals at 62 percent and health plans above 500,000 members at 74 percent. HITRUST has also seen significant growth in participation in the CSF Assurance program as more organizations begin to assess their own security environments, many doing so to satisfy meaningful use requirements.

One of the added benefits from the increase in CSF assessments is access to accurate data on a broad set of information security aspects. Unlike historical reporting which was survey based, HITRUST is able to collect information directly from CSF assessments, thereby increasing the accuracy and granularity of the data collected. HITRUST will use the summary data to regularly publish content on various industry trends and insights.

In addition, the CSF Assurance program continues to be the most widely utilized program for assessing the security posture of business associates and managing third-party compliance. Organizations, including providers, insurers and service providers, have obtained CSF Certified status, demonstrating the industry's ability to meet the requirements and commitment to protecting health information.

The number of healthcare organizations requiring their business partners be assessed against the CSF has also been larger than expected, and HITRUST anticipates that trend will continue throughout 2011. In January 2011, 11,000 organizations received requests for CSF assessment reports.

"As a home health provider, we saw the value of adopting the CSF as a comprehensive security framework, but felt a few of the risk factors did not align with the environment of a home health organization," said Sanjeev Sah, information security officer, Amedisys. "We shared our feedback with HITRUST and were pleased to have HITRUST review and ultimately agree with our suggestions. We look forward to continued collaboration and helping to ensure the CSF addresses the needs of home health organizations."

The importance of industry participation from organizations such as Amedisys and others is the driving force behind the creation of HITRUST working groups that are charged with identifying and documenting enhancements to CSF controls as well as facilitating industry collaboration and recommendations.

Click on the next page to read about the four focus areas for 2011.