The security challenge: Privacy and safety in the national data exchange era
As pressure grows to easily move data between providers, payers and patients, there’s growing risk in protecting it in HIEs and personal devices.
As health information exchanges attempt to ramp up the sharing of patient data nationally, data security must be kept top of mind. After all, breaches of patient data through an exchange could quickly derail the efforts to share patient information.
To make things even more challenging, patients and providers alike are increasingly relying on personally owned mobile devices to access patient records.
Key to the success of nationwide data sharing is a commitment from all parties involved to follow the privacy- and security-related requirements defined in data exchange agreement and pass those (flow-down) requirements to any third-party contractors or vendors that are involved.
Federal requirements
The 21st Century Cures Act (Cures Act) requires:
- • Data sharing among multiple parties (providers, health plans and others) through "a trusted exchange framework" - known as a health information exchange (HIE).
- • Timely and easy access for patients to their data.
- • Patient engagement in their own care and safety.
But all this must be done while still complying with the Health Insurance Portability and Accountability Act (HIPAA) and a variety of state privacy laws.
The Trusted Exchange Framework and Common Agreement (TEFCA) was crafted to carry out the Cures Act mandate to develop “a common agreement among health information networks nationally.” The 64-page TEFCA, which outlines responsibilities, is based upon seven principles. Our focus here is primarily on Principle 4, covering privacy, security and safety, which specifies that “HINs should exchange digital health information in a manner that supports privacy; ensures data confidentiality, integrity and availability; and promotes patient safety.”
Health information exchange
TEFCA helps facilitate exchange among healthcare organizations through trust policies and practices. Trust is critically important when obtaining patient information from an outside source.
For example, some questions include:
- • How does a provider know if the data extracted from an HIE is accurate?
- • How does a provider know if the data extracted is for the correct patient?
- • How does an organization know that the information it shares with an HIE will be protected?
Strong relationships are built upon trust. TEFCA creates a bond of trust through a signed agreement. After all, in a data sharing or an information technology environment, data is only as secure as the weakest link.
Data sharing between organizations has been made possible primarily because of the HL7 standard. Prior to HL7, data integration often required a customized interface or program.
Patient access to their data
Another TEFCA principle is Principle 5 covering access. It specifies that
“HINs should ensure that individuals and their authorized caregivers have easy access to their digital health information and understand how it has been used or disclosed.”
Providers (hospitals and clinics) are required to provide patients with access to their own data, with the goal of accessing their medical information anywhere, at any time, and on any device (smartphone, tablet, laptop or any other device). Timely access to their data is being enforced by the Cures Act’s prohibitions of “information blocking,” as well as by fines to be imposed if a provider fails to honor a patient’s request or takes too long to provide a patient with the data they requested.
So far, 44 organizations have been fined by the HHS Office for Civil Rights – the agency responsible for HIPAA enforcement – for violations of the access requirements.
Clearly, providing patients with easy, yet secure access to data creates challenges. For example, adding more security controls may make it more difficult for patients to gain access. And ease of use also can mean ease of access by hackers.
Therefore, providers and others must strike a delicate balance, providing ease of access while ensuring only the patient or their legal guardian can access the data.
Essential steps include:
1. Encrypting all personally identifiable information (PII) or protected health information (PHI), both in transit and at rest.
2. Implementing multifactor authentication (if feasible).
3. Monitoring the environment for unusual or unauthorized activities.
4. Conducting periodic risk assessments.
5. Having well-defined incident reporting and data breach response procedures.
Safety and patient engagement
New smartphone apps that track pulse, respiratory rate and other vital signs are an affordable way to help patients continuously monitor their health and safety conditions, as well as manage certain types of diseases. Patients can share this data with clinicians, thanks, in part, to a newer interoperability standard.
Considered one of the most innovative interoperability standards, Fast Healthcare Interoperability Resources (FHIR) is an emerging HL7 standard subset that facilitates the flow of data from mobile devices to exchange data like never before. Under the Cures Act, FHIR compliance is mandatory for any healthcare provider serving Medicare and Medicaid patients.
FHIR uses open web technologies and web services that simplify data integration, enabling data exchanges to happen more smoothly while reducing the time needed to incorporate a new data exchange partner. But is FHIR fundamentally secure? Well, that’s up to the implementor.
In the rush to create new, innovative mobile apps and get them to the marketplace, a code review for security may be an afterthought. There may not be a formal app vetting process so, “buyer beware” and “use at your own risk.”
Another question to ask: Are the vendors of third-party apps business associates that are required to comply with HIPAA? Even if a vendor claims to comply with HIPAA – which doesn’t mean much, considering that the HIPAA Security Rule was originally written in August 1998 and finalized in February 2003 – so the regulation’s requirements are woefully out of date.
Also, FHIR enables providers to integrate HL7 data from an electronic medical record system and use their mobile devices to view that data and, if needed, update the data in near real time. Some FHIR apps plug in and run on top of the electronic medical record.
How secure are the other apps that a provider may have on their smartphones? Could an intrusive app intercept or gain access to patient data via the smartphone? These are significant questions that every provider organization must address by conducting a thorough risk assessment and implementing appropriate mobile device policies.
One other downside of using FHIR rather than using an interface engine is that this approach requires creating a lot of point-to-point interfaces, and the IT staff and the information security officer may not be aware of all those, which means those interfaces may lack adequate security.
Other challenges
Compliance with a proliferation of new state consumer privacy laws designed to protect consumers creates even more challenges for those exchanging data across multiple states.
And various state regulations may have very different requirements. That’s why the U.S. needs a nationwide consumer privacy law.
As we move toward national health data exchange, hospitals, clinics, insurers, HIEs and others must continue to improve how data is protected. A collaborative approach, and a uniform implementation of the FHIR standard, will prove to be essential.
Tom Walsh is a CISSP and the founder and managing partner of tw Security.