Subscribe by Email

Your email:

Most Popular Posts

Browse by Tag

Posts by Month

The "RISKY BUSINESS" Blog

Current Articles | RSS Feed RSS Feed

HITRUST (Is it Information Assurance if you don't trust the Alliance?)

Posted by John Verry on Fri, Aug 28, 2009 @ 04:50 PM
  | Share on Twitter Twitter | Submit to Digg digg it |  Add to delicious  delicious |  Submit to StumbleUpon StumbleUpon |  Share On Technorati Technorati | Submit to Reddit reddit 

Call me jaded but my level of distrust goes up when an organization:

  • Pronounces itself as the "Information Security" guardian of an industry segment
  • Develops a "proprietary" framework/standard that it rationalizes based on the uniqueness of the industry
  • Develops its own certification programs and charges exorbitant fees to qualify entities for certification

Perhaps I am just cynical based on our mutual experience with the  "Payment Card Industry Standards Council" and the PCI-DSS program which has only succeeded in reducing the risk to the payment brands at the expense of the merchants and the card owners. 

My lack of trust in all things PCI-related is well illustrated by the recent "gift card" I gave to my nephew for graduating high school.  He called me embarrassed to report that the card balance was zero and that the credit card company had told him that it had already been used.  After a considerable time on the line the credit card company finally "admitted" that the card had been used five days prior to my purchasing it.   If the credit card companies can't prevent/detect this proactively - what faith can we have in them or their ability to govern?

On learning of HITRUST I was hopeful that it would be different.  But on first blush it looks like they have stolen a page or two out of the Payment Card Industry Standards Council playbook.  For example,  the costs involved for a consulting/auditing firm to be "qualified" exceed $20,000.  Initially the standard was only available at a significant cost. On a more positive note, the Alliance recently announced that the Common Security Framework (the standard) will now available for free (however, after 30 minutes on the site today - I still can't find it).

Hopefully, I am wrong and HITRUST will be a shining beacon for Information Assurance - but I'm not so sure.  I would rather have a comprehensive, non-industry specific, standard (e.g., ISO-27001) achieve sufficient status that these entities don't feel the need to develop proprietary standards.  The benefits would be significant.

Tags: , , , , , ,

COMMENTS

Good comments, but how can we get companies to adopt ISO 27001 in US?

posted @ Tuesday, September 01, 2009 9:34 AM by Frederick Scholl

I think the adoption rate is rising faster than most people realize. What will ultimately determine the short term success of 27001 is the number of organizations requesting it as a form of third party attestation.  
 
 
 
Longer term its success will be determined by the trustworthiness of the certifying bodies and the organizations using the standard.

posted @ Tuesday, September 01, 2009 10:19 AM by John Verry

HITRUST is a prescriptive unified compliance framework, which actually incorporates ISO 27001, COBIT, NIST and other best practices frameworks as well as specific compliance requirements relevant to the health care industry, e.g., HIPAA as interpreted by CMS and NIST, PCI-DSS, and of course the new ARRA/HITECH requirements. So it does borrow from quite a few "play books", which it should: good security is good security. It's also produced by an alliance of health care payers, providers and vendors, so the HITRUST CSF is indeed designed FOR health care BY health care. (Btw, anyone who doesn't think health care--especially on the provider side--is unique has never worked in health care.) And the costs of adoption and certification are no greater than what one might experience with PCI-DSS or even ISO 27001. My biggest issue with ISO 27001 is the lack of prescription and subsequent uniformity in the evaluation and certification against the standard. HITRUST attempts to address this problem, and I for one wish them the very best in their efforts.

posted @ Wednesday, December 23, 2009 1:43 PM by Bryan Cline

Does anyone know the fees HItrust Charges for client engagements and/or the process whereby it certifies its assessors?

posted @ Tuesday, March 02, 2010 8:00 AM by Roger

I agree with the comment about looking closely at organizations that provide this type of guidance. The one thing that I can say about HITRUST is that the management team is excellent and includes people with substantial experience in the field. Ken Vanderwal, for instance, is one of the most knowledgeable guys in this field. Their ability to make some of the existing guidance more relevant and easier to implement is definitely a value-add to existing frameworks.

posted @ Friday, March 26, 2010 8:47 AM by Scott Whitsitt

Post Comment
Name
 *
Email
 *
Website (optional)
Comment
 *

Allowed tags: <a> link, <b> bold, <i> italics