EHNAC, HITRUST Partner to Promote Security, Privacy Standards

The Electronic Healthcare Network Accreditation Commission (EHNAC) and HITRUST announced a partnership to enhance security and privacy requirements under the Trusted Network Accreditation Program (TNAP).

EHNAC assesses organizations through TNAP with the goal of promoting interoperability and ensuring alignment with the Trusted Exchange Framework and Common Agreement (TEFCA). The Office of the National Coordinator for Health Information Technology (ONC) published TEFCA in January 2022 to support health information exchange.

EHNAC and HITRUST will leverage the HITRUST CSF to ensure that TNAP’s privacy and security requirements align with TEFCA requirements.

"EHNAC and HITRUST are committed to ensuring that all organizations are able to adhere to the latest best practices and standards in privacy and security while meeting federal and state compliance mandates," Lee Barrett, executive director and CEO of EHNAC said in the announcement.

"That's why it's critical for programs like TNAP to have the support of leading Standards Development Organizations. The value add to the program is immeasurable when ensuring stakeholder-trust in today's complex and cyber risk-based healthcare ecosystem."

The HITRUST CSF helps healthcare organizations manage risk and address HIPAA compliance, security, and privacy challenges.

"Incorporating HITRUST r2 Certification as a requirement of TNAP enables organizations that may rely on a TNAP accreditation to know that the accreditation's standards for privacy and security are appropriate given the risk posed and compliance requirements.” Steve Baram, executive vice president of customer engagement at HITRUST explained.

“This is of utmost importance as we seek to enable further interoperability in general and the TEFCA system in particular.”

Regulators designed TEFCA to help providers easily access EHR data to promote improved care delivery. But as data sharing across the healthcare sector improves, security and privacy must follow suit.

Since legislation often struggles to keep up with the ever-changing cyber threat landscape, healthcare organizations are looking to self-governing, voluntary standards development organizations for best practices and risk assessments.

“Now is the time for our industry to work together to close privacy and security gaps across networks, address vulnerabilities across HIPAA compliance, cyber protection and ransomware prevention, address authentication and ID verification issues all the while assuring the highest levels of stakeholder trust,” Barrett said in a statement on TNAP’s website.

Cyberattacks are increasing across all critical infrastructure sectors, and threat actors keep finding innovative ways to target organizations. Medical devices are increasingly vulnerable to exploitation, EHR privacy and security risks are mounting, and cloud adoption has also presented a new suite of risks. Threat actors have managed to create risk in almost any health IT application.

Healthcare organizations must engage in threat sharing and work to create and implement industry standards in order to maintain cybersecurity and protect patient privacy. With each new development in the health IT space, stakeholders will have to consider security and privacy accordingly.