URAC and NIST form workgroup to assess impact of security requirements on health care operations

Washington D.C. 23 December 2002A new effort is underway in the USA to facilitate the identification and implementation of best practices in health care for information security requirements. To this end, the Security Healthcare Certification and Accreditation Workgroup has been convened and will bring together a wide array of key stakeholders from the public and private sectors in hopes of developing a more uniform approach to security assessments. The Workgroup held its first meeting in December 2002 to identify a 2003 work plan, including the review of the recently published draft security guidelines by the National Institute of Standards and Technology (NIST) and the new Security Rule as authorised by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.


"Through a series of monthly, open forum meetings, the Workgroup will establish an ongoing dialogue to address issues relevant to security health care systems and IT applications", stated Garry Carneal, URAC's president and CEO. "Participants at the Workgroup's first meeting, held on December 10, 2002 at URAC headquarters in Washington D.C., agreed that the group's primary mission is to achieve a broad consensus on a uniform approach to security practices and assessments in health care."

The Workgroup also is intended to serve as a resource for the health care community by developing white papers, drafting crosswalks, and participating in educational programmes. Ultimately, the Workgroup hopes to promulgate a common set of health care security standards that will cover security policies, procedures, controls, and auditing practices.

The Workgroup will have its next meeting on January 10, 2003 at NIST in Gaithersburg, Maryland, where the Workgroup will facilitate a health care sector review of the recently released draft NIST Special Publication 800-37, "Guidelines for the Security Certification and Accreditation of Federal Information Technology Systems". This document describes a comprehensive process for certification, the extent to which a particular IT system design/implementation meets a set of specified security controls, and accreditation, or the approval to operate and acceptance of residual risk. The Workgroup will provide NIST feedback as to the documents applicability to the health care sector.

"I am excited that NIST and URAC can facilitate a dialogue through the Workgroup next year to promote the standardisation of existing and emerging security requirements", stated Dr. Ron Ross, director of the National Information Assurance Partnership at NIST. "We hope that the new NIST guidelines under development can lead to more uniform ways in which to specify security controls for IT systems in the health care sector, as well as more consistent and repeatable methods to assess the effectiveness of those controls."

Meeting co-ordination and support for the Workgroup is provided by URAC and NIST. Lisa Gallagher, incoming senior vice-president at URAC and Arnold Johnson, manager of Security Certification and Accreditation Assessment at NIST will serve as the Workgroup co-chairs.

Founded in 1901, NIST is a non-regulatory federal agency within the United States Commerce Department's Technology Administration. NIST's mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. NIST responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems.

URAC provides accreditation of health and managed care organisations. Founded in 1990, URAC currently offers 14 accreditation programmes that span a broad spectrum of health care services. URAC has issued over 2300 accreditation certificates to more than 500 health care programmes. URAC-accredited organisations do business in all 50 states, the District of Columbia, Puerto Rico, and Canada and provide services to more than 120 million people.

To sign up as an interested party to the Workgroup, please log on to the URAC Web site and follow the sign-up instructions. All Workgroup meetings are open to the public. More news on URAC is available in the VMW December 2002 article New URAC book dispels myths surrounding HIPAA security standards.

Leslie Versweyveld

[Medical IT News][Calendar][Virtual Medical Worlds Community][News on Advanced IT]