What Happens When Health Data Is Transferred, How to Protect It
When it comes to medical records, there is no lack of people with bad intentions trying to get their hands on that information. Unless healthcare organizations use available technology to protect this data flowing over the Internet, we are bound to witness more attacks like those that struck Anthem and Premera.
Strong authentication and encryption must be the norm. Lets imagine something as simple as a family practitioner referring a patient to a specialist. There are various formats in which data can be sent from one office to the other, and the sending and receiving providers need to both understand which are being used. The primary way presently is by sending electronic information via Directed Exchange secure messaging, known as Direct. However, the emerging Fast Healthcare Interoperability Resource standard (FHIR) could soon be available. FHIR is a first generation application programming interface (API) and core data services specification to expand sharing among electronic health record systems as well as other health IT systems.
The benefit of Direct is that it does not matter what formats are being used. The focus is on securing the transport method, irrespective of what the message is. Essentially its a secured email solution for healthcare. As with email, the sender and the receiver have a direct address (like an email address), which is where information is either sent from or sent to, depending which side of a transaction the account holder is performing.
Digital certificates cryptographically bound to those addresses are used along with the infrastructure of the Internet to establish a secure channel between the two accounts. This then allows any data to flow over that secure channel without revealing any of its contents except to the intended receiver, guaranteeing that contents are not modified or deleted without either party knowing.
For FHIR, still being developed and tested, the process of transferring data from EHRs or other systems is a little more involved, but as long as both parties know and agree on which FHIR profile is being used, securing that transaction generally happens in a consistent manner. FHIR typically relies upon TLS securitywhich has been used in e-commerce transactions for many years nowto identify and authorize the parties exchanging data, and to secure and protect the data as it moves from one to the other. TLS certificates cryptographically bind FHIR end points (either a service location, or an application requesting data for its user) to their respective Internet locations, allowing a secure channel to be established.
As the history of e-commerce has demonstrated, using TLS is no guarantee of security if the respective parties do not implement TLS correctly or use weak or broken algorithms to set up the secure channel. Typically credentials (digital certificates) that are only validated to the domain do not provide strong enough assurance in the parties involved in the transaction. This is why the EV certificate standard (think green bar in browsers) was established to ensure that appropriate identity proofing for e-commerce was being employed. The EV process requires someone to pass several checks by an outside party to prove they are who they say they are and they are authorized to act on behalf of their company to get a certificate. Healthcare needs at least EV security, and perhaps even stronger measures. We also need to insist on two-factor authentication as a default standard.
Hackers know that they cannot break strong encryption, so they target HISPs (Health Information Service Providers) or FHIR implementers using weak algorithms in implementing their cryptography when transferring EMRs. Similarly, absent two-factor authentication, hackers using clever spear phishing schemes can trick providers either logging onto their HISP or FHIR-enabled healthcare app into revealing their login credentials.
With the dizzying amount of patient info being exchanged over the Internet on a daily basis, were way past the point where you can simply hope that data is protected. Its critically important that we truly understand how data is moved, and then act to protect it as best we can.
Scott Rea is vice president of government and education relations at DigiCert Inc., an encryption and identity authentication vendor.