Federal Strategic Health IT Plan IssuedIdentifies Ways to Ensure Secure Health Information Exchange
Federal regulators have issued a strategic health IT plan for 2015 to 2020 that includes five major goals, including advancing secure health information exchange.
The plan raises the possibility of bolstering security and privacy requirements for electronic health records software that's certified for the HITECH Act incentive program. It also calls for consideration of creating a second information sharing and analysis center, or ISAC, to assist federal agencies and private healthcare entities in exchanging cyberthreat intelligence.
The Office of the National Coordinator for Health IT - a unit of the Department of Health and Human Services, created the plan in collaboration with more than 35 federal agencies. The last federal health IT strategic plan was released in 2011.
The strategic plan also serves as "the broad federal strategy" that sets the context and frames the Nationwide Interoperability Roadmap, a draft of which ONC released in June. ONC is slated to release its final roadmap in January, which will help to define in more detail how the federal government and private sector will approach secure sharing of health information to improve care, the agency says.
The five main goals of the new federal strategic plan include: expanding adoption of health IT; advancing secure and interoperable health information exchange; strengthening healthcare delivery; advancing the health and well-being of individuals and communities; and advancing research, scientific knowledge and innovation.
Drilling down on the goal of advancing secure health information exchange, ONC lists three objectives:
- Enabling individuals, providers, and public health entities to securely send, receive, find and use electronic health information;
- Identifying, prioritizing and advancing technical standards to support secure and interoperable health information;
- Protecting the privacy and security of health information.
To meet those objectives, the strategy includes the possibility of requiring that certified EHR systems eligible for the HITECH incentive program offer expanded encryption capabilities as well as new data segmentation capabilities, ONC's leader, Karen DeSalvo, M.D. said during a briefing with news media to discuss the federal plan.
Additional health IT certification requirements are being considered, in particular, for data exchange related to substance abuse and behavioral health treatment, she says.
The plan also calls for using technology to accurately identify, match and authenticate information across data sources. Also, the plan promotes advancing standards that support interoperability between medical devices and certified EHRs.
To protect the security and privacy of health data, the plan also calls for:
- Supporting the development and implementation of policies, practices and education that protect health information from breaches, and address cybersecurity risks and developing technologies;
- Continuing development, administration and enforcement of federal privacy and security regulations and standards for HIPAA covered entities and business associates;
- Continuing enforcement of applicable federal privacy and security requirements for entities not covered by HIPAA;
- Supporting the development of policies, standards, technology, guidance and solutions to facilitate individuals' ability to manage, control and authorize the disclosure of specific electronic health information.
A New ISAC?
The federal health IT strategy calls for "the establishment of a single health and public health Information Sharing and Analysis Center (ISAC) for bi-directional information sharing about cyber threats and vulnerabilities between the private healthcare industry and the federal government."
This recommendation comes even though a National Health ISAC already is in place (see NH-ISAC Offers Cyber-Intelligence Tool).
Replacing the current NH-ISAC has not been discussed, DeSalvo says. "The discussion is about a more targeted [ISAC] that is part of HHS," she adds.
In a follow-up statement to Information Security Media Group, an ONC spokesman says, "HHS is aware that there are various entities that perform and are engaged in information sharing activities and efforts, or who have information sharing capabilities. We [at HHS] are working with the NH-ISAC and other entities to ensure that collaboration is occurring for a more robust information sharing infrastructure. ... We [at ONC and HHS] are not favoring one entity over another; we are making sure that the [health and public health] sector moves forward cohesively and collaboratively as we tackle the complexities of cybersecurity and threat information sharing."
More Vision Needed
One security and privacy expert says that although the plan seems to indicate security and privacy are an important focus of the federal strategic vision, there's room for more progress.
Based on a cursory review of the federal plan, "I'm pleased to see the consideration being given to securing health information," says Dixie B. Baker, senior partner at the consulting firm Martin, Blanck and Associates, and chair of the transport and standards workgroup which advises ONC's HIT Standards Committee. "However, the vision seems to me to be much the same as it was five years ago. I think the stakeholders within the US health ecosystem - including but not limited to EHR vendors, providers, payers, standards development organizations, the research community and consumers - have all made progress over the past five years that I would expect to see reflected in the vision for the next five years."
At first glance, Baker says, the document "seems to be more of the same, with little vision toward the dramatic improvements in individual and population health that are rapidly being brought about through advances in biomedical science; consumer engagement in improving their own health, for example, via smart phone apps, consumer sensors and appliances; and big data analytics - all of which, by the way, introduce new challenges to securing health information and protecting individual privacy."