HIE Models: Security Pros and ConsWeighing the Merits of Centralized, Federated and Hybrid Models
Does one health information exchange data architecture model provide better security than others? That all depends on who you ask.
Supporters of the federated model, including some consumer advocates, say it's by far the most secure approach.
In a federated model - also called distributed or decentralized - data that's exchanged resides at individual healthcare organizations and is shared upon request.
The federated model avoids the risks involved in creating a centralized database, which, if compromised, can expose a huge amount of data, says Mark Savage, senior attorney at Consumers Union. In the federated model, "if there's a problem [with a HIE member], it only affects one place," he says.
Data-sharing models should, where possible, use a decentralized and local control approach, according to a recent report from Consumers Union and the Center for Democracy & Technology. Duplication and centralization of data "amplifies the risk of security and privacy violations," the organizations contend (see: Identifying Privacy Protection Gaps).
But backers of the centralized model, in which data is collected from all participants in one database, say it's the best security option because it makes it far easier to standardize and control security and privacy policies and technology implementation.
"With centralized models, there is concern about the security of having data all in one place, but there are huge benefits to health data analysis and medical research that centralized repositories offer," says Jennifer Covich Bordenick, CEO of eHealth Initiative , a private-public consortium that studies and promotes the use of health IT, including HIEs.
Also, while the federated model lacks the security breach bulls eye of a huge centralized repository, a decentralized HIE approach can introduce other issues, including the potential for a lack of a common approach to security by all its members, Bordenick says. "How do you get all these people together to agree on security and privacy policies and use of data in a decentralized model? That's a challenge," she says.
Other HIE models
Some HIEs are using a hybrid, or custom, model that doesn't fit the centralized or federated molds.
For instance, in some hybrid models, a centralized repository might be logically segregated so that data of each HIE member is separated from other participants, allowing data to be easily removed from the exchange if a participant decides to leave the exchange. "That's a critical element from a business and patient privacy approach," says Kim Pemble, executive director of the Wisconsin Health Information Exchange, which takes a hybrid approach (see: Wisconsin HIE Favors Hybrid Data Model).
And in the interest of simplicity, some organizations involved in information exchange have punted, using only one-to-one secure transactions based on the Direct Protocol instead. For example, the state of Tennessee pulled the plug on its efforts to build a statewide HIE in favor of promoting Direct Project transactions.
But the scope of data exchange that takes place using the Direct Protocol is limited, Bordenick says. "Direct is not a model, but rather another tool in the bag of tricks for data exchange," she says. "It's basically secure messaging, and you can't really use it for complex data exchange," such as those involving queries to locate patient data residing in multiple places.
Leaders of HIEs defend their choices, arguing that their particular data architecture models not only meet their users' information sharing needs, but also safeguard patient data.
Sira Cormier, program director of New England Healthcare Exchange Network, says the HIE has stuck with the federated model since it launch in 1998 because "owners of the data are also responsible for safeguarding it." The federated model also has been flexible and secure as NEHEN has expanded the kind of information that's shared, says Cormier, who has been program director of the HIE for the last 12 years (see: HIE Sticks With Federated Model).
"All our data is stored at the sending or receiving organizations, and the only thing in the middle for us is a community directory that holds the addresses of where the message needs to go," she says.
NEHEN's participating members are in charge of the data that sits within their own four walls, she says. So they're responsible for compliance with HIPAA and other privacy and security regulations.
While the federated model get high ratings from some for security, others point out potential shortcomings.p>"Security is only as good as the weakest point in the provider organizations that are participating [in a federated model]," says Devore Culver, CEO of HealthInfoNet, Maine's statewide HIE, which uses a centralized approach (see: Handling Security in a Centralized HIE).
"In a central repository model, we're able to institute important perimeter and penetration management tools," he notes. Plus, the encrypted central repository keeps patient clinical data separate from patient ID information to enhance security. "To hack through that, you'd have to hack through both encrypted data sets," he says.
Nevertheless, HealthInfoNet takes extra steps to ensure security, Culver explains. For example, HealthInfoNet hires a third party to attempt to break into the system twice a year. "We don't know when that's coming," he says. "We have no idea how they're going to attack us, what their various methods are going to be. That's a very important step in maintaining the credibility around the central data repository model."
Mix And Match
The Wisconsin Health Information Exchange takes a hybrid approach that gives the HIE the ability to tap into the benefits of both centralized and distributed environments, Pemble says.
Although the HIE stores healthcare data in one repository, that data is segregated data based on the sources, Pemble says. That means participating members not only retain ownership of their data - they specify how that data can be used by the exchange. "Each member has ownership over their data, and we're only allowed to use the data as the owners allow," he says. For example, that might include the HIE using patient de-identified data for analysis or syndromic surveillance for public health departments.
At ClinicalConnect, an HIE in western Pennsylvania, a custom approach helps bolster data security, says Chris Carmody, a vice president in the information systems division of University of Pittsburgh Medical Center, a founding member of the HIE (see: An HIE Structure That Breaks the Mold).
Users of ClinicalConnect's HIE are authenticated before they access patient records through their own organization's EHR system. While in their respective EHRs, they can access ClinicalConnect through a hyperlink to launch a search of other data available about the patient from ClinicalConnect participants. That launches a new window with an aggregate view of the patient's information.
"Instead of trying to manage the identities of our users from a central place, we felt it best to leverage what was already in place, which is based on HIPAA security and privacy regs [compliance] at that local level," says Carmody, who oversees ClinicalConnect and who will soon be named its president.
A Higher Standard
Regardless of the data architecture model used, the level of privacy and security in any HIE needs to be above the general community practice in healthcare, says Culver of HealthInfoNet in Maine. "We're doing things that make people uncomfortable and therefore you need to be able to speak to a slightly higher standard or practice."
Pemble of the Wisconsin Health Information Exchange offers a similar observation: "All HIEs are extremely conscious of the importance of data security, because any breach with any HIE will have long lasting impact on all HIE efforts."