HITRUST, ISC2 to Create Credential Program for Health Care Data Security

HITRUST and security association ISC2 will create a credential program to certify professionals in prevention of health care data breaches.

The Health Information Trust Alliance (HITRUST), an organization that helps the health industry protect patient data, and the International Information Systems Security Certification Consortium (ISC2), a security association, have unveiled plans to develop a credentials program to certify IT professionals in securing patient information.

Announced on Dec. 12, the collaboration will create metrics that determine the qualifications of IT security professionals. HITRUST and ISC2 will hold a credential-building workshop in January 2013 to identify job requirements and skills needed by health IT professionals to keep patient data secure.

Executives from the U.S. Department of Health and Human Services, University of Pittsburgh Medical Center and Children's Hospital of Philadephia will help develop the credentialing program. Representatives from pharmacy benefit management service Express Scripts and health IT software company McKesson will also participate.

"Health care IT professionals are at a critical juncture," W. Hord Tipton, executive director of ISC2, said in a statement. "With the move to electronic health records, complex regulations to adhere to and sophisticated cyber-security threats knocking at their doors, they have no choice but to improve their security skills and knowledge."

Despite a strengthening of the data privacy laws for the Health Insurance Portability and Accountability Act (HIPAA) in 2009 under the Obama administration's Health Information Technology for Economic and Clinical Health (HITECH) Act, data breaches continue to be a threat, according to HITRUST.

When health care providers violate HIPAA, they're liable for up to $1.5 million in fines from the federal government. Since the HITECH Act went into effect, 495 breaches had been reported as of Oct. 1, according to HITRUST's report "A Look Back: U.S. Healthcare Data Breach Trends," released earlier this month.

Security professionals require guidance identifying the skills needed to protect patient data, the two organizations reported.

"Through this cooperative relationship, HITRUST and ISC2 will work together to ensure information security professionals working in health care have the required skills to be successful within their organizations and careers," Daniel Nutkis, CEO of HITRUST, said in a statement. "Our experience has shown us that organizations with more knowledgeable security professionals manage information risks better and have more advanced information security programs."

ISC2's Tipton agreed with the need for training to enhance health care data security.

"We believe that an organization's privacy and security programs are significantly enhanced when properly trained and experienced individuals are involved," Tipton said in a statement. "Our new relationship with HITRUST underscores our joint commitment to address this problem and improve not only the skills of health care information security professionals, but also cyber-security professionalization," said Tipton.

Cyber-security is a growing issue in health care, particularly with malware able to infect medical equipment.

In its December 2012 report on data breach trends, HITRUST revealed a drop in the number of data breaches per quarter since 2009, despite the continuing security threat.

Theft was the leading cause of breaches in the HITRUST report, and laptops are a particular target.

In August, Cancer Care Group, an oncology practice in Indianapolis, announced that 55,000 individuals, including patients and employees, were affected when a laptop computer bag was stolen from a worker's locked vehicle. Server backup media in the bag included patients' names, addresses, Social Security numbers, dates of birth, medical record numbers and insurance information.

Independent physician practices and specialty clinics are impacted the most by breaches , HITRUST reported. Meanwhile, hospitals and large health systems showed a 46 percent decline in breaches from 2010 to 2011, and HITRUST predicted a 36 percent decline from 2011 to 2012.