Subscribe by Email

Your email:

Most Popular Posts

Browse by Tag

Posts by Month

The "RISKY BUSINESS" Blog

Current Articles | RSS Feed RSS Feed

HITRUST (Is it Information Assurance if you don't trust the Alliance?)

Posted by John Verry on Fri, Aug 28, 2009 @ 04:50 PM
 | Submit to Digg digg it | Submit to Reddit reddit | Add to delicious delicious | Submit to StumbleUpon StumbleUpon | Share on Twitter Twitter | View blog reactions 

Call me jaded but my level of distrust goes up when an organization:

  • Pronounces itself as the "Information Security" guardian of an industry segment
  • Develops a "proprietary" framework/standard that it rationalizes based on the uniqueness of the industry
  • Develops its own certification programs and charges exorbitant fees to qualify entities for certification

Perhaps I am just cynical based on our mutual experience with the  "Payment Card Industry Standards Council" and the PCI-DSS program which has only succeeded in reducing the risk to the payment brands at the expense of the merchants and the card owners. 

My lack of trust in all things PCI-related is well illustrated by the recent "gift card" I gave to my nephew for graduating high school.  He called me embarrassed to report that the card balance was zero and that the credit card company had told him that it had already been used.  After a considerable time on the line the credit card company finally "admitted" that the card had been used five days prior to my purchasing it.   If the credit card companies can't prevent/detect this proactively - what faith can we have in them or their ability to govern?

On learning of HITRUST I was hopeful that it would be different.  But on first blush it looks like they have stolen a page or two out of the Payment Card Industry Standards Council playbook.  For example,  the costs involved for a consulting/auditing firm to be "qualified" exceed $20,000.  Initially the standard was only available at a significant cost. On a more positive note, the Alliance recently announced that the Common Security Framework (the standard) will now available for free (however, after 30 minutes on the site today - I still can't find it).

Hopefully, I am wrong and HITRUST will be a shining beacon for Information Assurance - but I'm not so sure.  I would rather have a comprehensive, non-industry specific, standard (e.g., ISO-27001) achieve sufficient status that these entities don't feel the need to develop proprietary standards.  The benefits would be significant.

Tags: , , , , , ,

COMMENTS

Good comments, but how can we get companies to adopt ISO 27001 in US?

posted @ Tuesday, September 01, 2009 9:34 AM by Frederick Scholl

I think the adoption rate is rising faster than most people realize. What will ultimately determine the short term success of 27001 is the number of organizations requesting it as a form of third party attestation.  
 
 
 
Longer term its success will be determined by the trustworthiness of the certifying bodies and the organizations using the standard.

posted @ Tuesday, September 01, 2009 10:19 AM by John Verry

HITRUST is a prescriptive unified compliance framework, which actually incorporates ISO 27001, COBIT, NIST and other best practices frameworks as well as specific compliance requirements relevant to the health care industry, e.g., HIPAA as interpreted by CMS and NIST, PCI-DSS, and of course the new ARRA/HITECH requirements. So it does borrow from quite a few "play books", which it should: good security is good security. It's also produced by an alliance of health care payers, providers and vendors, so the HITRUST CSF is indeed designed FOR health care BY health care. (Btw, anyone who doesn't think health care--especially on the provider side--is unique has never worked in health care.) And the costs of adoption and certification are no greater than what one might experience with PCI-DSS or even ISO 27001. My biggest issue with ISO 27001 is the lack of prescription and subsequent uniformity in the evaluation and certification against the standard. HITRUST attempts to address this problem, and I for one wish them the very best in their efforts.

posted @ Wednesday, December 23, 2009 1:43 PM by Bryan Cline

Does anyone know the fees HItrust Charges for client engagements and/or the process whereby it certifies its assessors?

posted @ Tuesday, March 02, 2010 8:00 AM by Roger

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics

Receive email when someone replies.