Three critical issues that must be addressed to pave the way for broader exchange of health information are expanding the use of multifactor authentication and data encryption and making broad improvements in identity management, says David Kibbe, M.D., president and CEO of DirectTrust.
The healthcare sector is facing a new wave of uncertainty - ranging from whether the Affordable Care Act will be repealed and replaced to what could happen to payment reform programs under a new Trump administration. Regardless of those changes, healthcare provider organizations of all sizes will continue to be pressured to exchange more health data in two major ways to improve patient care coordination, Kibbe says in an interview with Information Security Media Group.
"One of them is over their own network - [providing] access to information to doctors, nurses and patients. But they have to focus increasingly on interorganizational exchanges of health information. This is where it gets increasingly difficult," he says.
"The average hospital system might have as many as 400 business associates who access their networks or parts of their networks on a regular basis. Health information exchange [involving] information going from one organization to another is a new, different threat for the security protections of a healthcare provider organization."
Direct Trust, a not-for-profit trade association, created and maintains the security and trust framework for using the Direct Project protocol, which provides specifications for a secure, scalable, standards-based way to send encrypted health information directly to known, trusted recipients over the Internet.
Beefing Up Controls
"It has become a full industry embarrassment the extent to which health information databases containing really personal information, financial information, Social Security numbers and so forth have been able to be hacked," Kibbe says. "We're in the process of hardening the systems that healthcare providers use."
But most healthcare professionals still log into their hospital networks or electronic health records systems using a user name and password, rather than multifactor authentication, which would be far more secure, he notes.
As for the use of encryption in protecting health data that's exchanged, Kibbe says, "we are going to see increasingly not just the sessions encrypted ... but the content itself being encrypted as it goes over the network."
The next critical area is tackling broader identity management, Kibbe contends. "How in cyberspace do you know that a person or an organization is who they say they are?" he asks. "We're increasingly going to see the use of tools like public key infrastructure."
When healthcare organizations receive requests for information, "in the first step of honoring that request and exchanging that information, there needs to be a high level of assurance that the persons or parties [requesting the information] ... are actually who they say they are," he adds.
In the interview (see audio link below photo), Kibbe also discusses:
- The potential short-term and long term-impact of the new Trump administration on secure health data exchange;
- The 21st Century Cures Act's potential impact on discouraging the blocking of information sharing;
- DirectTrust's plans to begin beta testing the use of secure text messaging.
Kibbe, a physician, is founding president and CEO of DirectTrust. He is also senior adviser to the American Academy of Family Physicians.