Healthcare IT security is only as good as the weakest link
Last fall’s breach of the federal Affordable Care Act healthcare signup portal serves as a wakeup call that no data is safe.
The Centers for Medicare and Medicaid Services detected anomalous activity in an enrollment pathway used by agents and brokers, affecting the files of 75,000 individuals.
The security of healthcare IT networks is no stronger than its weakest link, an area of increasing concern for chief information security officers. More healthcare providers, hospital systems, health information exchanges, health plans, accountable care organizations, state Medicaid agencies, and others are requiring vendors and other contracted entities to undergo third party assurance to address the number of data breaches and cyberattacks.
But as various entities create different requirements, vendors and third-party entities are subject to a dizzying array of surveys and documentation in order to demonstrate compliance with each customer. This creates a myriad of requirements and drives up the business costs of healthcare vendors.
Implementing a common, healthcare-specific accreditation/certification accepted by healthcare providers, hospital systems, health plans, and other healthcare entities would bring uniformity and standardization in meeting compliance and third-party assurance requirements, helping vendors and customers alike.
Several states already require third party service organizations to obtain specific accreditations/certifications, and every state is seriously assessing data security and risk management through stricter regulation and oversight.
The federal government is in the process of implementing the 21st Century Cures Act as the Office of the National Coordinator for Health Information Technology is working to develop a Trusted Exchange Framework with Common Agreement (TEFCA). A second draft released in April supports development of a common agreement that would “…help enable nationwide exchange of electronic health information across disparate health information networks.
The TEFCA is designed to scale EHI exchange nationwide and help ensure that HINs, health care providers, health plans, individuals, and many more stakeholders have secure access to their electronic health information when and where it is needed.”
EHNAC has been monitoring these developments closely, working with a coalition of healthcare organizations aimed at creating a Trusted Network Accreditation Program (TNAP). More than 30 healthcare industry organizations are contributing their expertise to develop an accreditation framework aligned with TEFCA standards. Participants include HITRUST, America’s Health Insurance Plans, American Hospital Association, Medical Group Management Association, Blue Cross Blue Shield Association, Workgroup for Electronic Data Interchange, eHealth Initiative, Strategic Health Information Exchange Collaborative and many other healthcare stakeholders.
A TNAP healthcare industry stakeholder survey shows significant interest in common standards that will make it easier to exchange data in a secure manner to improve patient care.
- 95 percent of respondents agree or strongly agree that improvements in the ability to electronically share patient information will make care delivery more effective and efficient.
- 84 percent agree or strongly agree that certification/accreditation for privacy and security is a viable way to create trust among participants in a health information network.
- 81 percent of respondents agree or strongly agree that one barrier to interoperability concerns what happens to patient data after it leaves an organization.
- 62 percent believe that common, consistent standards would enable greater confidence in data exchange.
The second draft of TEFCA signaled that the ONC is committed to common standards. Organizations that had adopted a “wait-and-see” attitude are now interested in drafting TPA agreements with vendors.
TNAP provides a strong third-party assurance program that is based on accepted industry standards and is driven by specific ONC requirements. EHNAC recognizes that the HITRUST CSF provides strong privacy and security third party assurance and has incorporated its requirements within TNAP. TNAP also accepts HITRUST CSF Certification for fulfillment of these components in the program.
In addition to this, TNAP layers in TEFCA Minimum Required Terms and Conditions and Trust Framework specifications for identity and authentication, TNAP-unique privacy and security, authorization, onboarding, participant agreement, and other requirements. TNAP will be continually enhanced to support any further changes to TEFCA and to support further requirements that will be issued by the ONC-appointed Recognize Coordinating Entity.
As the push toward healthcare interoperability continues, third-party assurance accreditations/certifications likely will become the de facto method for vendors and third parties to address compliance and risk management requirements to participate in the healthcare ecosystem. But each healthcare entity mandating a different set of TPA compliance and risk management requirements and surveys will be untenable for vendors and third parties to address. That’s why independent accreditations/certifications remain the best way for health plans, systems, HIEs, ACOs, providers and other healthcare entities to work confidently with their vendors and third parties. TNAP provides a strong third-party assurance program based on accepted industry standards and driven by specific ONC requirements.
The Trusted Network Accreditation Program is one of many other programs offered by EHNAC an independent, self-governing, non-profit 501c6 accrediting body designed to improve transactional quality, operational efficiency and data security in healthcare. For more information on EHNAC’s efforts go to www.ehnac.org.