HITRUST outlines priorities in fight against cyber threats

Healthcare organizations' highest priorities for cybersecurity should include use of cryptography, isolation of highly sensitive information and creation of a reporting system for breach events to meet what is being described as a rising threat by data and identity thieves, according to an early draft of guidelines released Monday by the HITRUST security alliance.

Even the highest priority tasks identified in the guidance create a long list of systems and policies to review and implement, but time is of the essence, according to the Frisco, Texas-based alliance of health plans, provider organizations and health technology and security companies.

“As predicted, HITRUST has seen a marked increase in the frequency and sophistication of cyberattacks targeted at healthcare organizations,” HITRUST CEO Daniel Nutkis said in a news release.

“What is raising concerns is the amount of personal health information misappropriated from health plans and providers that is for sale on the various hacker forums,” Nutkis said. “As the sophistication and intensity of cyberattacks increases, HITRUST believes it is more critical than ever that healthcare organizations have the appropriate safeguards in place and a means by which to review their current level of preparedness.”

The five-page guidance is an early release of the work product of HITRUST's Cybersecurity Working Group, which was formed in February after President Barack Obama issued an executive order outlining a national effort to defend against cyberthreats.

The guidance relies on the organization's already developed Common Security Framework, ordering its 135 security “controls” so that the top 50 are deemed “most relevant” for preventing cyberattacks, while the remainder are ranked “relevant” and “least relevant,” to such intrusions. Some of the high-priority issues recommended by HITRUST include having in place policies and programs on the use of cryptography, a reporting system for breach events, audit logging, information awareness and security training, access controls and the removal of access, and isolation of highly sensitive information.

The workgroup will meet at and incorporate public comments into the guidance at HITRUST's annual meeting in May, and then submit its recommendations to the National Institute of Standards and Technology, which has been ordered by the president to “lead the development of a framework to reduce cyber-risks to critical infrastructure.”

Only a small percentage of major healthcare-data breaches on a public list kept since 2009 by the Office for Civil Rights at HHS have been attributed to hacking, but some of those that have been the work of hackers have been ominous. In 2012, for example, hackers traced to computers in Eastern Europe broke into government computers in Utah and compromised the Medicaid and Children's Health Insurance Program records of 780,000 people.

Follow Joseph Conn on Twitter: @MHJConn