HITRUST designates PwC as a Common Security Framework Assessor

PwC US announced today that the Health Information Trust Alliance (HITRUST) has designated the firm a Common Security Framework (CSF) Assessor, qualified to evaluate and certify security standards of CSF-related services. The designation affirms PwC's deep experience in privacy, security and identity theft prevention, and helps to meet growing demand from health organizations for assurance that information is safe amid heightened concern over security breaches.

"Our designation as a HITRUST Common Security Framework Assessor allows us to support our healthcare clients with their mounting information protection needs at a time in which the volume and exchange of vulnerable healthcare information is growing by leaps and bounds," said James Koenig, director and Privacy and Identity Theft Practice Leader, PwC.

Increased concern for information security standards is being driven by a number of factors including: The advent of electronic health records spurred by $40+ billion in federal economic stimulus funds; increased sharing of health information via health information exchanges, Web 2.0, social media and interactive communications; globalization of supply chain operations, manufacturing, clinical trials and outsourcing to third parties; and new federal privacy and security laws.

A recent survey of 495 healthcare providers and 163 pharmaceutical companies, conducted by PwC and CIO magazine found the following:

• There has been an overall decline in information security processes over the past several years, including a decline in the number of healthcare organizations conducting regulatory compliance tests, maintaining an overall information security strategy, conducting personal background checks on employees or performing due diligence on third-parties that handle personal data.
• Nearly half (49 percent) of pharmaceutical/life sciences companies and 41 percent of healthcare providers said they experienced a breach of security in the past year.
• Of those who had a security breach, 24 percent of providers and 22 percent of pharmaceutical companies had data exploited. Twenty-three percent of pharmaceutical companies and 19 percent of providers said that information on mobile devices was exploited.
• The source of information security breaches comes largely from inside the organization. Thirty-six percent of providers and 35 percent of pharmaceutical companies attribute security breaches to current employees; 18 percent of providers and 23 percent of pharmaceutical companies attribute breaches to former employees.
• Over the past year, there has been increased concern about security breaches from outside hackers. Twenty-three percent of respondents attribute breaches to hackers, evidence that personal health information is a tempting target for theft by both insiders and outsiders.
• Fewer than half (45 percent) of pharmaceutical and provider organizations are actually using data leakage prevention tools.

HITRUST's Common Security Framework is the first information technology security framework developed specifically for healthcare information, and PwC, as an Assessor, will evaluate and/or certify services associated with the CSF, including services delivered through the CSF Assurance Program. As a designated HITRUST Common Security Framework Assessor, PwC is positioned to assist healthcare organizations with adopting the most innovative approaches to healthcare information security in the industry.

"We are pleased to have PwC join the Common Security Framework Assessor program," said Daniel Nutkis, Chief Executive Officer, HITRUST. "Increasingly, healthcare organizations are facing greater regulatory scrutiny, more competition and demands to operate more efficiently, all of which make information protection more important than ever before. As a leader in both healthcare consulting and information security and privacy, PwC can assist organizations in adopting the Common Security Framework in these volatile times."

Jeff Fusile, a PwC Health Industries partner, added that "PwC is proud to have played an influential role in the early development of the HITRUST Common Security Framework and the creation of preliminary standards in this crucial initiative. We are pleased to take the next step in our relationship with HITRUST by becoming an official CSF Assessor, and look forward to assisting health organizations in helping to ensure that the data of patients, providers and all healthcare system participants is safe and secure."