HITRUST Roadmap for Improving Security


Industry leaders convene working group to address growing concerns over health information systems and medical device security by establishing a Health Information Technology (HIT) framework for vulnerability avoidance, reporting, and mitigation

The Health Information Trust Alliance (HITRUST) announced the establishment of a working group whose mission is to improve the overall security of and trust in Health Information Technology (HIT) including systems and medical devices. The goal of the program is to avoid, report, and mitigate vulnerabilities.

Today there is not a standard means for recognizing and sharing vulnerabilities and there are no standard processes for sharing best practices to eliminate or mitigate these vulnerabilities. In light of recent cyber attacks and other malicious activities, the healthcare industry has a particular obligation to ensure consumer confidence in the healthcare system. Titled the Health Information Technology (HIT) and Medical Device Integrity and Security Program, the working group will be comprised of health information technology vendors, medical device manufacturers, and health information systems users.

“Given the pace and complexities associated with protecting these systems, the private sector, not the government, should step up to manage this process. It needs to be practical and pragmatic, done quickly and with the flexibility required to match the rapidly evolving market,” said David Muntz, senior vice president and chief information officer, GetWellNetwork and former principal deputy national coordinator and chief of staff, Office of the National Coordinator (ONC). “There is too much riding on the effectiveness and acceptance of these systems and we must ensure we maintain consumers’ confidence.”

The working group will canvas the industry to ensure that the efforts of the program will leverage and complement existing clinical safety reporting capabilities, standards and best practices. With a specific focus on the HIT elements of healthcare, the working group will:

  • Create communications to
    • address growing concerns over the security and reliability of health information systems
    • raise awareness about the individual’s role in system usage
    • increase the trust of the public in the HIT sector as it relates to privacy, security, confidentiality, and reliability
  • Develop a framework to help avoid, report, and mitigate vulnerabilities
  • Identify and document security related issues, challenges and concerns beginning with ideation into the system development life cycle through implementation, maintenance, and ending with migration or system retirement
  • Convene subgroups to establish guidelines, best practices and recommendations
  • Develop a means to monitor and report on progress of the program as measured by the impact on the national HIT environment and the attitudes of the public

“Children’s Health is committed to securely connecting the patient data ‘dots’ so we may deliver clinical information to the patient’s full care team, including those outside of Children’s network. We must work together to attain security of this data – a more secure environment begins with vulnerability awareness. This working group will help establish standard vendor vulnerability communication steps. With this knowledge, Children’s and others can add safeguards to increase the safety of patient data and promote the flow of clinical information across the continuum of care,” said Pamela Arora, senior vice president and chief information officer, Children’s Health.

The growing dependence upon HIT in an increasingly complex healthcare system combined with the explosion of medical data, both personal and institutional, is creating new challenges in handling health information. This growth in collected data is also mirrored by the release of data from universities, research centers, and other evidence-based investigators. In response there is universal agreement among leaders across the healthcare ecosystem – patients and families, providers, payers, and vendors – that more must be done to provide efficient, safe, and secure access to information.

“Those of us who commit our careers to improving healthcare through technology share a common responsibility to the patients we care for to ensure the highest level of privacy and trust in regard to use of their data,” said Carl Dvorak, president, Epic Systems Corporation. “It is paramount that we establish industry-wide standards by which we measure our actions and our results with transparency. Epic supports high standards and full transparency to ensure that healthcare automation can be deployed in a trustworthy manner to reduce overall healthcare expenditures in our country while simultaneously improving patient outcomes and creating patient centered technologies.”

“The benefits in terms of effectiveness and efficiencies to industry from this group will be both short and long term, from better requirements and guidance to timely and consistent vulnerability reporting and disclosure, to name a few,” said Daniel Nutkis, CEO, HITRUST. “We will take into account risks and threats to industry in prioritizing the deliverables.”

To oversee the new program a Steering Committee has been formed. Charter members include:

  • Karl Stubelis, Vice President, Athenahealth
  • Pamela Arora, Senior Vice President and Chief Information Officer, Children’s Health
  • Carl Dvorak, President, Epic Systems Corporation
  • David Muntz, Senior Vice President and Chief Information Officer, GetWellNetwork
  • Daniel Nutkis, Chief Executive Officer, HITRUST Alliance
  • Michael Wilson, Vice President and Chief Information Security Officer, McKesson Corp.
  • Cara Babachicos, Corporate Chief Information Officer, Community Hospitals and Non-Acute Entities, Partners Healthcare
  • Sara Coulter, Vice President Industry Relations, Philips Healthcare
  • Liz Johnson, Chief Clinical Informaticist and Vice President, Applied Clinical Informatics, Tenet Healthcare Corporation
  • Tony Gilman, Chief Executive Officer, Texas Health Services Authority

“We are in an era where the use of the cloud and mobility for Health Information Technology delivery is allowing greater access to health care and wellness at a lower cost. Conversely the need to balance this benefit with the privacy, security and reliability concerns of patients is paramount. To help achieve this balance, McKesson welcomes the opportunity to participate in the working group to develop tailored heath industry approaches to reduce the occurrence of vulnerabilities in health information technology and medical devices,” said Michael Wilson, vice president and chief information security officer, McKesson Corporation.

The steering committee will provide a plan outline in the next 90 days with the specific goals and a schedule for the year. The working group will complete the initial phase of the industry survey by the end of Q2 2015. Further solicitations for participation are forthcoming. To be notified for participation visit: http://hitrustalliance.net/working-group-signup/.

Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit www.HITRUSTalliance.net.

All product and company names herein may be trademarks of their respective owners.