Addressing security challenges presented by HIEs

Panelists at the ONC Tech Forum on Monday advised mapping the functions of health information exchanges to "confidentiality, integrity and availability."
By Kat Jercich
11:48 AM

Health information exchanges can be a way for providers to access clinical information in efficient and, ideally, seamless ways.

But experts say they can also present security challenges.

"You should be constantly thinking about how to map what an HIE does, and what it is, to our security base: confidentiality, integrity and availability." said Jenn Behrens, chief information security officer at San Diego Health Connect.

Behrens was among several panelists who weighed in at the Office of the National Coordinator for Health IT's Tech Forum on Monday about best practices for HIE network management. 

Achieving that mapped triad requires an interplay of governance and security controls, said the panelists.

"If we do one without the other, the likelihood of success … is going to be minimized," said Behrens.

The governance domain involves contracts – including MSAs with security addendums and business associate agreements – internal and external risk management audits, and trust frameworks, including TEFCA. 

Security controls, Behrens explained, should include access control; network, mobile and asset, information, software development, operations and physical security; architecture; identity and access management; and incident response. 

"Business continuity, disaster recovery and incident response seem like no brainers … but these are being increasingly tested as we're having smaller breaches affect more organizations," said Behrens.

When considering HIEs as security professionals, said Behrens, it's imperative to "think about a governance structure and a set of contractual obligations or a trust framework that has all participants in that HIE ecosystem working together, so they can enable and securely share those records throughout the system."

From a vendor's perspective, said Muhammad Chebli from NextGen Connect, it's not just about capturing a larger number of patients than one's competitor. Rather, he said, "it's about sharing that data and making it available to those providers who need it at the point of care."

"The end goal is to ensure people can access data at the time that it's most needed," he continued.

There are multiple security considerations that vendors must take into account, said Chebli. All vendors, he said, should satisfy standard expectations, including a well-architected framework that supports good outcomes and enables a continuous-software-delivery pipeline. 

"It's a layered security approach," he explained. "Like an onion that you peel back before you can access the key part – the item that you're securing."

This also includes reliability, efficiency and cost optimization.

Because of the nature of healthcare and interoperability requirements, he noted, it's not enough just to protect the data. Vendors must also be able to securely share it.

A continuing challenge involves patient matching, said the panelists. 

"I work with several HIEs," said Behrens. "All of them are looking for the silver bullet on patient matching."

Right now, the market is still developing, she explained, but HIEs that don't have an automated MPI solution "spend a lot of time on this problem."

"It's a very significant level of effort that all HIEs are exceptionally committed to … assuring that the patient information is accurately tied to the correct patient," said Behrens.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.