Analyzing ONC's Interoperability Roadmap10-Year Plan Shines Spotlights Privacy, Security Challenges
The protection of patients' health data is a fundamental principle deeply woven throughout federal regulators' new 10-year roadmap for interoperable health data exchange. While some experts say the plan is on the right track, others say more work is needed.
The Office of the National Coordinator for Health IT, which prepared the document, says interoperable electronic health records systems and secure national health information exchange is necessary for achieving its vision of a "learning health system." It defines that term as a system in which health information "flows seamlessly and is available to the right people, at the right place, at the right time to better inform decision making to improve individual health, community health and population health."
Two challenges highlighted in the wake of the massive rollout of electronic health records systems as a result of the HITECH Act incentive program are difficulties in sharing information among different EHR systems and sustaining health data exchange organizations, which can be securely linked to facilitate national sharing of data.
The 94-page roadmap unveiled by ONC on Oct. 6 is "final version 1.0", reflecting stakeholder feedback the agency received on its draft version of the roadmap released in January (see: Interoperability Plan Raises Concerns).
In a letter included in the document, ONC leader Karen DeSalvo, M.D., says her office anticipates updating the document every two years based on input from the public, healthcare stakeholders and its federal advisory committees - the HIT Policy Committee and HIT Standards Committee.
GPS for Best Practices
Some experts say the roadmap draws attention to a number important privacy and security issues that need to be spotlighted as the nation's healthcare system evolves.
The roadmap "calls out a group of best practices that all healthcare organizations should consider as part of their security program," Charles Christian, chair of the College of Healthcare Information Management Executives, tells Information Security Media Group. "In my opinion, the roadmap might be considered as a GPS for moving us toward a 'learning health system,' which will provide us in healthcare with the framework to rapidly share best practices, common security risks, etc.," he says.
In a statement, the Healthcare Information and Management Systems Society said it supports many of the principles identified in ONC's roadmap. "HIMSS supports the four critical pathways identified in the roadmap that focus on using consensus-based standards, enabling the shift in payment policies from fee-for-service to value-based models, and aligning federal and state privacy and security requirements that enable interoperability."
Security expert Keith Fricke, principal consultant at security consulting firm tw-Security describes the document as "a very good start in defining where things need to head," but sees room for improvement.
"A few areas of the roadmap were disappointing or concerning," he says. "The roadmap sets expectations for vendors to step up to help achieve interoperability. Most EHR vendors still are providing products that do not support encrypting their databases at rest."
The roadmap envisions an "ubiquitous, secure network infrastructure" for interoperable health data. "Enabling an interoperable, learning health system requires a stable, trusted, secure, widely available network capability that supports technology developer-neutral protocols and a wide variety of core services," the document states.
The privacy and security of health data is among 10 top principles highlighted in the roadmap. "It is essential to maintain public trust that health information is safe and secure," the document states.
"To better establish and maintain that trust, stakeholders will strive to ensure that appropriate, strong and effective safeguards for electronic health information are in place as interoperability increases across the industry. Stakeholders will also support greater transparency for individuals regarding the business practices of entities that use their data, particularly those that are not covered by the HIPAA privacy and security rules, while considering the preferences of individuals."
Key privacy and security elements spotlighted in the roadmap include a number best practices aimed at improving overall cybersecurity of health data. Those include:
- Creating and maintaining a security risk management program that includes, among other things, data use and business associate agreements that "will need to scale beyond bi-lateral contracts to support nationwide interoperability";
- Sharing threat information across organizations and developing mature incident response capabilities;
- Monitoring for misuse of user and administrator credentials, particularly those credentials that have system-level access to APIs or databases that contain ePHI or individually identifiable health information;
- Ensuring that health IT is developed and deployed securely, following Department of Homeland Security and National Institute of Standards and Technology guidance "for building security into health IT products, not just putting products behind a secure exterior";
- Assessing the security of applications and infrastructure via penetration testing, potentially conducted by third-party experts, to identify vulnerabilities before they are exploited:
- Encrypting the contents of all network messages in transit even if it is not legally required;
- Securing all data stored in any database connected to the network, whether through a companion system, interface engine or gateway, by encrypting data at rest and securing the encryption keys;
- Participating in bug bounty programs.
The interoperability roadmap also addresses tackling a series of privacy and security challenges by setting objectives and incremental milestones spanning from 2015 to 2024. Those include:
- Authentication and verification of healthcare providers and patients accessing health data, including the use of mobile devices to authenticate individuals accessing their own health data.
- Consistent understanding and technical representation of patient permission to collect, share and use identifiable electronic health information across a landscape of diverse and complex state privacy laws. Among other things, the roadmap calls for more harmonization of state and federal laws and recommends technology vendors implement technical standards for capturing, collecting and communicating patient consent.
- Accurate patient data matching to prevent information fragmentation and the incorrect merging of health records, which pose potential threats to patient privacy and safety;
- The use of software APIs to support secure data exchange and information flow.
One of the more critical issues highlighted by the roadmap is the need for more collaboration and cooperation in the healthcare sector, Christian notes.
"Sharing threat information is specifically listed and is a growing option for better informed collaboration among healthcare organizations," he says. In addition, the roadmap also calls upon technology vendors and healthcare providers to apply data encryption while PHI data is at rest and in motion, he notes.
More cooperation by vendors is necessary for the healthcare industry to meet various objectives set by the roadmap, Fricke contends.
For instance, because "most EHR vendors are still not supporting encryption of their databases at rest, that puts the burden on hospitals to invest in hardware-encrypted SAN storage on which to operate their EHR," Fricke says. "Doing so becomes a compensating control, and that is if the vendor supports running on encrypted SAN storage - some do not support even that. Are we to believe that if vendors have been failing to address the encryption issue, they will step up and meet the requirements of securing interoperability?"
Fricke also says the roadmap document lacks details on the need for consumer education. "The general public is not as aware of cybersecurity risks as they should be," he says. "Many of these same people will likely access their personal medical record from a personally owned computer that is lacking current software patches or current anti-virus software."
The roadmap doesn't sufficiently address security threats facing patient portals, including sophisticated phishing attacks and malware, Fricke contends. The document calls for enhanced authentication capabilities, which to some extent may be able to combat these threats, he notes. "If a patient portal is compromised, that will be a great setback for interoperability adoption," he says.
Fricke's particularly concerned about "watering hole attacks," an emerging threat. "Criminals target a particular group of individuals based on industry, organizational affiliation or maybe even based on geographic region," he says. "If criminals can use malware to compromise a patient's home computer and learn which patient portal they access, the criminals may find creative ways to target neighboring populations with phishing emails that compromise more access to the portals."