HITRUST and Children’s Health Help Healthcare Organizations Across North Texas Fight Growing Cyber Threats

HITRUST-twitter-20080 North Texas physician practices first to participate in HITRUST CyberAid

HITRUST (@HITRUST) and Children’s Health℠ (@ChildrensTheOne), the leading pediatric health care system in North Texas, are working together to launch HITRUST CyberAid in an effort to help smaller healthcare organizations—specifically physician practices with less than 75 employees—address growing cyber risks and information protection challenges by providing them with a cyber security solution designed to support their small business environment. These organizations represent a crucial component in protecting today’s healthcare ecosystem and are struggling to deploy effective information security technologies and employ effective security management practices.

The increase in ransomware and other cyber threats targeting smaller healthcare organizations and the devastating impact that a breach can have on a physician practice and its patients – combined with a greater reliance on electronic and networked information systems and the demands by federal and state regulations to protect patient information – has increased the urgency to address these cyber risks.

As an organization engaged in cyber risk management and an Information Sharing and Analysis Organization (ISAO), HITRUST is in a unique position to evaluate the gaps in cyber security controls and the challenges in remediating these gaps at smaller healthcare organizations. Over the past several years, HITRUST has made public findings indicating that these organizations are struggling with the selection, acquisition, implementation, operation, and training associated with information security tools and processes necessary to demonstrate compliance and manage cyber risk. For these reasons activities like participation in cyber information sharing is unrealistic and impractical.

“As a small physician practice with limited IT support, I rest easier knowing that CyberAid monitoring is in place. Having this level of protection allows me to maintain my focus on caring for patients, while also ensuring their data is protected,” said Mary Jean Strength, MD, Waxahachie, Texas.

CyberAid was created with the mission to identify the right cyber solutions for these organizations at the right price point. CyberAid evaluates and identifies solutions and processes that can be implemented, managed and operated cost effectively by organizations with limited technical and financial resources, while ensuring they meet the security control requirements and provide an effective level of cyber threat protection.

CyberAid only selects solutions that support and align with broader industry objectives, such as the ability for organizations to automatically consume and contribute indicators of compromise (IOCs) with the HITRUST Cyber Threat XChange (CTX) in a manner that is transparent to the participating organization. CyberAid also addresses the complexities that small healthcare organizations face in collecting technical information for a HITRUST CSF security assessment by requiring APIs be made available from vendors to automate the collection of this information.

HITRUST also announced that Children’s Health is the first provider partner working to inform the physician community on the importance of information security, helping engage small physician practices in the CyberAid program and gauge their satisfaction with the program’s results.

“Our organization hosts private physician practices on our electronic medical record (EMR) system. Supporting this program enables us to more fully protect our organization, these physician practices and their patients from risks associated with cyber threats,” said Pamela Arora, senior vice president and chief information officer, Children’s Health.

Initially, 80 physician practices ranging from two to 15 physicians are deploying a HITRUST CyberAid offering consisting of installation assistance, hardware, software, monitoring services, training, and support. HITRUST will conduct ongoing measurement of the program’s effectiveness through evaluation of these package components:

  • Ability to mitigate cyber risks
  • Practicality of use within small organizations
  • Capacity to support cyber threat information sharing of IOCs
  • Proficiency in facilitating routine, streamlined security assessments
  • Acquisition and maintenance affordability

HITRUST has engaged and evaluated information security vendors to ensure these solutions are providing the required technical and operational capabilities needed to deliver the expected results over time in a cost effective manner. Through its collaboration with vendors and its work with the physician community to understand the cost considerations, HITRUST has defined the optimum price points in the $25 to $60 per user, per year for a complete CyberAid package.

“Identifying solutions that address current and evolving cyber threats—not to mention implementing and managing these solutions—is daunting for a small practice,” said Pete Perialas, senior vice president and chief strategy officer, Children’s Health. “Participating in current models of cyber threat sharing can be prohibitive, whereas CyberAid puts these levels of protection within reach.”

The initial technology and service bundle was selected after in-depth evaluation and includes a Trend Micro cloud-hybrid network security appliance, Trend Micro endpoint security software (supporting Windows, Mac OSX and mobile devices with Android, IOS), installation assistance and monitoring services. In addition, recovery support relating to incidents will be made available. It is anticipated additional CyberAid packages will be added with other security vendors in the future to expand the available choices.

The initial 80 physician practice deployments are underway and are expected to be completed within the next three months. HITRUST and Children’s Health will be evaluating the effectiveness, usability, and satisfaction on an ongoing basis.

Beginning in September 2016, HITRUST will begin allowing physician groups across the US to subscribe to the service and engage with other hospitals, health systems and health plans throughout the country to expand the program nationally to ensure physician practices across the country are aware of the CyberAid offering.

“Effectively addressing cyber security challenges, engaging in cyber information sharing and streamlining the HITRUST CSF Assessment process for physician practices have been a goal of HITRUST,” said Daniel Nutkis, CEO, HITRUST. “This program is a big step forward towards those goals.”

To sign up to be notified when the service is available nationally or to learn how you can support the program locally, please visit this website.

About Children’s Health
Children’s Health℠ is the eighth-largest pediatric health care provider in the nation and the leading pediatric health care system in North Texas, providing a full spectrum of health care services—from daily wellness and primary care to specialty visits and critical care. Holding eight disease-specific care certifications from The Joint Commission, Children’s Health has been consistently named one of the nation’s top pediatric providers by U.S. News & World Report. The Children’s Health system includes the flagship hospital Children’s Medical Center Dallas, as well as Children’s Medical Center Plano, eight specialty centers, 20 Children’s Health Pediatric Group primary care practices, nine Our Children’s House rehabilitation facilities, home health, physician services and the Children’s Medical Center Research Institute at UT Southwestern.

About HITRUST
Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST – in collaboration with public and private healthcare technology, privacy and information security leaders – has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry.