"The sensitive nature of the information being shared makes its security paramount," said Mark Jacobs, DHIN's chief information officer, in a press release. "Completing HITRUST Certification will give practitioners, payers and consumers added assurance that DHIN takes every precaution to protect the clinical information that flows through the exchange.”
Seeking certification is an opportunity, explained Mark Ferrari, chief information security officer for BluePrint, to collaborate and share best practices and tools. HITRUST is a private company governed by an executive council composed of health-care organizations from around the nation, such as Kaiser Permanente and UnitedHealth Group.
HITRUST touts its framework as the most widely adopted in the U.S.
“This commitment and expertise demonstrated by HITRUST ensures that health-care organizations leveraging the framework are prepared when new regulations and security risks are introduced,” the company website reads.
But support for HITRUST and its certification is not universal.
In an open letter to the HITRUST Alliance written and posted to LinkedIn last year, a network security professional named Kamal Govindaswamy questioned the usefulness of the HITRUST CSF, describing it as “cumbersome, expensive, arbitrary, unnecessarily complex” and using “outdated data.”
The letter prompted 16 responses from commenters, including one from David Finn, health IT officer at Symantec and a member of the HHS Healthcare Industry Cybersecurity Task Force.
“Well thought out and said,” Finn said of Govindaswamy’s letter. “And, frankly, past due. I don't understand how HITRUST is able to continue to portray alignment with and endorsement by NIST, OCR, HHS and others. The emperor may not be naked, but is certainly very scantily clad.”
DHIN officials said the organization is expected to pass certification by June 2017.