With Health Information Exchange (HIE) expansion comes the prospect of creating security standards for the process of securing the patient data being transported from one organization to the next. That responsibility isn’t going away anytime soon, but many organizations are beginning to concentrate on authenticating users to ensure patient confidentiality standards are met.
David Sheidlower, CISO of Health Quest Systems, is on the policy committee for the Statewide Health Information Network of New York (SHIN-NY) and considers data security a major focus among group members. Sheidlower said that HIE security is getting a tremendous amount of attention because, in part, it’s understood that HIE adoption is dependent on everyone (patients, payers and healthcare organizations) trusting that [patient information] is secure. It makes sense that with confidence that security hasn’t been taken for granted by an HIE comes better adoption. But today’s security issues aren’t the same as those that plagued HIE progress years ago.
Nance Shatzkin, CIO of the Bronx RHIO and President of Shatzkin Systems, can attest to this progression. Shatzkin Systems serves as a consultant to the Bronx RHIO, an HIE that opened in 2008. Shatzkin works to establish policies tied to technical standards and the consent and privacy issues that come along with those standards. She wrote the technology section of the first [Bronx RHIO] grant and spoke with HealthITSecurity.com about how many of the HIE security concerns are more policy-based rather than technology-focused.
What are the major HIE security focuses at the moment?
I think that when we started the discussions about HIEs, the security issues were quite different than they are today. The questions that people were worried about in the early days were “Where is my data going to be sitting?” and “Is my data going to be merged with other people’s data and will it be contained?” You’ll find that there were early HIEs that put the “edge server” inside the facility’s firewall and even if they were running distributed queries, they were going “out to” the inside of that firewall.
This was a requirement because they were so uptight about the data moving outside of the firewall and the data being merged with other people’s data. I don’t think that’s an issue that we spend a lot of time on anymore. Those issues are behind us. Today, there’s a comfort level with data moving, whether it’s through virtual private networks or with Web services and Security Assertion Markup Language (SAML) Certificates and other kinds of security mechanisms – although I’d say healthcare is just learning about SAML and related tools.
I think that now, people worry more about confidentiality breaches and less about the issue of where the data is sitting. We’re talking mainly about virtual servers and storage arrays so I think everyone has sort of moved on [from worrying about the technology side]. But at the same time, I think those concerns have been replaced with more apprehension about user authentication and patient confidentiality controls.
So the current security burdens are mainly related to policy and authentication?
I think that is largely true. It’s also true that from a technology point of view, people are more keenly aware of and more interested in things like second-factor authentication. Many HIEs are perfectly comfortable with the login and passwords [no second factor] they started with, but recognize there must be a move to greater access security. Many other people would want to move to a second-factor anyway. New York state is going to require two-factor authentication. We’re on the road to it. I don’t know whether that’s been written into that particular policy yet, but I believe the New York eHealth Collaborative (NYeC) is working on how to offer it to people at a reasonable cost. I think it’s going to be a requirement in NY state for HIE. Whether everyone goes with a RSA-type token or people do other things that are equivalent, I think you’re going to see a lot of [two-factor] in 2013-2014.
Are biometrics a two-factor option in the short term?
Maybe – a lot of people are not so thrilled with RSA-type tokens. My biometrics experience is limited, but I know a clinic in the south Bronx, Urban Health Plan, that has used a retina scan for positive patient identification for years and they haven’t had any trouble with it. Cameras have dropped to around $100 a piece, so they’re not cost prohibitive. I’ve been trying to get people interested in it for accurate patient identification – which is just another aspect of data security, because there are a lot of problems with fingers and hands, such as sweat, disease and accuracy.
Shatzkin has a heavy amount of experience with HIE technology and makes strong points about how policy and authentication should be organizations’ focus when it comes to security. How authentication goals are met by different organizations, whether biometrics or other types of tokens are used, will be an interesting trend to follow in 2013.