More options, no resolution on bridging public and private sector security standards

As regularly noted in this space, one of the big points of disagreement in attempts to achieve greater levels of information integration, particularly health information exchanges, is how to reconcile disparate security and privacy standards in place that apply to government agencies and private sector entities (FISMA still being touted as best security for health information exchange; No point in asking private entities to comply with FISMA). The debate has been cast most often as one about where to draw the boundaries where the detailed security control requirements and other obligations to which federal agencies are bound under FISMA. When information exchanges involve data transmission from the government to private entities, the law is only clear in cases where the private entity is storing or managing information on behalf of the government. When the intended use of the data is for the private entity’s own purposes (with the permission of the government agency providing the data), the text of the FISMA legislation is pretty clear that the private sector entity is not bound by its requirements, but the agency providing the information still has obligations with respect to the data it sends out, at the time of transmission and after the fact.

At the most recent meeting of the ONC’s Health IT Standards Committee on November 19, federal executives including VA Deputy CIO Stephen Warren and CMS Deputy CISO Michael Mellor spoke of the need to beef up federal information systems security protections when those systems will be connected to non-government systems, and again endorsed the position that government security standards under FISMA are more strict than equivalent standards that apply to private sector entities, including those prescribed by HIPAA. In the past year, despite the creation of a government task group formed specifically to address federal security strategies for health information exchange, there has been little in the way of resolution in terms of arriving at a common set of standards that might apply to both public and private sector entities involved in data exchange.

An interesting entrant into this arena is the Health Information Trust Alliance (HITRUST), a consortium of healthcare industry and information technology companies that aims to define a common security framework (CSF) that might serve as the point of agreement for all health information exchange participants. Ambitious, to be sure, but the detail provided in the CSF itself and the assurance process that HITRUST has defined for assessing the security of health information exchange participants and reporting compliance with the framework should serve as at least as a structural model for the security standards and governance still under development for the Nationwide Health Information Network (NHIN). The HITRUST common security framework has yet to achieve significant market penetration, especially in the federal sector, perhaps in part due to the initial fee-based business model adopted by the Alliance for the CSF. In August of this year HITRUST announced that it would make the CSF available at no charge, and launched an online community called HITRUST Central to encourage collaboration on information security and privacy issues in the health IT arena. (In the interest of full disclosure, while has no affiliation with HITRUST, some of our people are registered with HITRUST Central.) The point here is not to recommend or endorse the CSF, but simply to highlight that there is a relevant industry initiative focused on some of the very same security issues that are being considered by the Health IT Policy Committee and Health IT Standards Panel.