What goes wrong when medical records are transferred

And how to fix it
By Scott Rea
09:12 AM
Share

The massive data breaches that struck CareFirst Blue Cross and Blue Shield, Anthem and Premera over the past year have sounded an alarm among healthcare IT. And with hackers eager to steal valuable patient data, it’s time the healthcare sector act more aggressively to secure private data.

Consider that, according to research from Gartner, close to 40 million healthcare records have been breached to date. That number, Gartner’s research suggests, is a conservative estimate because it takes into account only breaches of at least 500 individuals at a time.

And, the cost of a healthcare breach continues to climb, according to the Ponemon Institute, to about $363 per exposed personally identifiable record. That’s more than double the average cost of a data breach in other industries, and the trend holds across 11 industrialized nations. Our industry is a target, and we must do more now.

Securing patient data starts with encryption, but equally important is the use of strong identity authentication. Authentication guarantees that the sender and recipient of healthcare data are, in fact, who they claim to be.

To explain this, let’s imagine something as simple as a family practitioner referring a patient to a specialist. There are various formats in which data can be sent from one office to the other, and the sending and receiving providers need to both understand which are being used. The primary two ways are either sending the records via Directed Exchange, or by using the emerging FHIR, or Fast Healthcare Interoperability Resources, platform. 

The benefit of Direct is that it does not matter what formats are being used. The focus is on securing the transport method, irrespective of what the message content is. Essentially it’s a secured email solution for healthcare. As with email, the sender and the receiver have a Direct Address (like an email address), which is where information is either sent from or sent to, depending which side of a transaction the account holder is performing.

Digital certificates cryptographically bound to those addresses are used along with the infrastructure of the Internet to establish a secure channel between the two accounts. This then allows any data to flow over that secure channel without revealing any of its contents except to the intended receiver, guaranteeing that contents are not modified or deleted without either party knowing.

For FHIR, the process of transferring EHRs is a little more involved, but as long as both parties know and agree on which FHIR profile is being used, securing that transaction generally happens in a consistent manner. FHIR typically relies upon TLS security — which has been used in e-commerce transactions for many years now — to identify and authorize the parties exchanging data, and to secure and protect the data as it moves from one to the other. TLS certificates cryptographically bind FHIR end points (either a service location, or an application requesting data for its user) to their respective Internet locations, allowing a secure channel to be established.

TLS security requires strong validation of the parties involved in the secure communication. Typically credentials (digital certificates) that are only validated to the domain level do not provide strong enough assurance in the parties involved in the transaction. This is why the EV standard (think green bar in browsers) was established to ensure that appropriate identity proofing for e-commerce is employed. The EV process requires someone to pass several checks by an outside party to prove they are who they say they are and they are authorized to act on behalf of their company to get a certificate. Healthcare needs at least EV security, and perhaps even stronger measures. We also need to insist on two-factor authentication as a default standard.

Hackers know that they cannot break strong encryption, so instead they target HISPs (Health Information Service Providers) or FHIR implementers using weak cryptographic implementations when transferring EHRs. Similarly, absent two-factor authentication, hackers using clever spear phishing schemes can trick providers logging onto their HISP or healthcare app using FHIR into revealing their login credentials. 

With the dizzying amount of patient info being exchanged over the Internet on a daily basis, we’re way past the point where you can simply hope that data is protected. It’s critically important that we truly understand how data is moved, and then act to protect it as best we can.