Healthcare organizations must navigate a thick web of data security, privacy, and risk management. The variety of standards, overlapping or inconsistent regulations and ongoing legislation add layers of complexity unique to healthcare sector data security.

In response to this challenge, a few dominant industry players formed the Health Information Trust Alliance and adapted disparate standards, multi-jurisdictional regulations, and diverse best practice methodologies specifically to healthcare. The Common Security Framework (CSF) they developed is now the standard for information security. With the CSF, HITRUST drives the “heavy lifting” that many organizations don’t have the resources to perform.

Determining appropriate levels of due diligence and specific safeguards to implement requires a comprehensive risk analysis consisting of:

  • A threat and vulnerability analysis;
  • An information valuation;
  • A defined set of information and privacy security controls addressing the risk factors outlined in the risk threat and vulnerability analysis (often referred to as “threat modeling).

An internal risk analysis must also be cost effective and provide the organization an acceptable level of security. Such an analysis drains the resources of most organizations beyond what is reasonably possible. The solution for many is adoption of an external Risk Management Framework (RMF). The NIST RMF, for example, provides structure and guidance helping federal agencies assess and reduce the risk to their information systems.

As stated in this