For planners of health information exchanges (HIEs), outlining a sound approach to privacy and security is a critical step to securing stakeholder participation. But trying to fully understand how to secure your exchange isn’t a trivial task. First, in order to tackle this issue correctly, planners need to be prepared to herd some cats – security, based on my experience, typically spans several departments (e.g., IT, Legal, Clinical Applications and Medical Records). Second, planners must find an IT architect that can speak both English and technology to decipher the technical details.
Once the team is assembled, shouldn’t the rest be straightforward given the amount of information made available by organizations like CCHIT, ONC and NIST? In truth, it certainly isn’t as straightforward as visiting a few websites, printing out checklists, and following the instructions. A quick survey of documents like the Concise Guide for CCHIT Certification Criteria for Ambulatory EHRs can help provide a framework but still leaves many important items unaddressed, like policies for patient consent and patient identity management.
As I review past HIE implementations and those I am currently involved in, the following security requirements stand out to support health information exchange across care settings:
Controlling Access
- User and System Authentication: Users are required to provide a user ID and strong password (and in some cases an optional token like RSA SecureID) to gain access to the HIE platform, its services, and attached EHR and ancillary systems.
Caution: Introducing a second factor of authentication will require some serious political mojo given the added step physicians would be required to adopt in the workflow process.
- User Access Rights: User actions must be authorized in real time (just in time) based on known information like the user’s role in the care process, the care setting, the patient and his/her consent status, the action being performed, and specific confidentiality rules.
Caution: Be wary of combining both end-user authentication and access rights into an LDAP-style directory given the complex nature of clinical authorization.
- Data Encryption: Electronic data exchanged between care settings must be done over fully encrypted channels.
Note: ONC has done a nice job defining standard specifications for secure messaging across care settings (such as signing of transactions with x.509 digital certificates over secure web channels).
Managing Patient Identity
- Consent: Patients are required to confirm their participation in the HIE initiative before their information becomes accessible to authorized users.
Note: To date, many different consent frameworks have been implemented, ranging from network opt-in and opt-out to affirmative opt-in. There is no ‘right’ model, and the implementation decision will depend completely on the mindset of the stakeholder community.
- Identity Management: Patients and their records need to be linked across multiple care settings and stakeholders without centrally storing (or ‘comingling’) patient health data.
Note: When patient records are stored in a federated model with no universal patient identifier, patient-matching algorithms become monumentally important. What is often missed is ensuring that those matching algorithms factor in (and retain, when possible) the patient’s consent status.
Policy Compliance
- Audits: Transactions must be logged and easy-to-use tools provided for access to this audit data (e.g., ad-hoc search capability or canned reporting for ‘break glass’ workflow).
Note: Solutions should provide auditing capabilities that support at least the IHE ATNA logging profile (adopted by ONC’s NHIN implementation).
- Records Management: Any implementation must encrypt personally identifiable health information, back up data regularly, document a plan for business continuity, and practice recoverability in potential disaster scenarios.
Caution: Depending on the technical architecture implemented (e.g., centralized vs. distributed) the cost of protecting against loss of data will vary greatly.
Security can be an intimidating topic, but it doesn’t need to be overwhelming. When evaluating a solution, be sure to have all the aspects covered. If you need to hire an expert to advise you, don’t be shy about spending the money. The cost of getting it wrong, or ignoring it completely, could spell the end of your HIE aspirations.
