- During HIMSS19 in February, the Department of Health and Human Services’ Office of the National Coordinator released its long-awaited information blocking proposal. While many lauded ONC for its efforts to increase interoperability in the sector, there are elements that will need to be addressed by the agency for its final version to ensure the rule is effective and not burdensome.
As HHS continues its push for improved interoperability and regulations around info blocking, security should be a top priority. In early March, the College of Healthcare Information Management Executives sent recommendations to the Senate Committee on Health, Education, Labor, and Pensions that outlined the need for cybersecurity to be tied into government healthcare policies.
Especially as the industry moves toward greater data sharing and interoperability, healthcare organizations will need stringent privacy and security standards, CHIME President and CEO Russell Branzell and Board Chair Shafiq Rab wrote. The concerns are similar to those shared with HealthITSecurity.com by CynergisTek CEO Mac McMillan.
The health sector’s desire for more interoperability, open APIs, and data sharing is a natural, innovative goal, McMillan said. However, the industry currently lacks standards for the tech designed to fuel those processes, which only increases risk to data.
“We’re already seeing healthcare organization’s risk rising as a result of all of the service providers, organizations, applications, and individuals that now are connected to their networks,” McMillan said.
“Increasing interoperability, data sharing and use of commercial products through more APIs is just expanding the attack surface further without protective measures when there are no prescribed standards or security protocols that developers have to follow,” he added.
Unprotected APIs are a prime example of this risk, demonstrated by the elevation of insecure API risk to the Open Web Application Security Project's (OWASP) Top 10 vulnerabilities to web applications, McMillan explained.
“Unprotected APIs can leave databases open to malicious mining by hackers,” he said. “We need to make sure that the security protections and controls stay in step with the developments so that we don’t end up out over our skis. Everyone knows how that ends.”
“Increasing interoperability, data sharing and use of commercial products through more APIs is just expanding the attack surface further without protective measures.”
University of California researchers recently reported how HL7 standards, crucial to ONC’s info blocking rule, could open the healthcare infrastructure to cyberattacks due to the unsecure way the standards are frequently implemented.
“In the absence of encapsulating encryption and authentication, the protocol poses a prime target for attack,” the researchers wrote.
Securing Data Exchange
Before enacting the information blocking rule, ONC should first consider selecting or establishing a security controls framework for interoperability and data sharing processes that would support the trusted environments necessary “to build confidence in payers, providers, and patients,” McMillan said.
The specifications should address the need for acceptance within a trusted network, secure coding of APIs, and the minimum security requirements for connectivity or data sharing, among others, he explained.
“This new path of greater sharing requires an equally robust framework for security and better, more specific guidance for minimum standards that need to be met by developers and consumers for systems and software involved in data sharing,” said McMillan.
Patient identity management should also be addressed, as many hospitals have hundreds of patients with the exact same name and some of whom share other common data points, like birthdays, McMillan explained.
“Healthcare still suffers from several key information management maladies,” said McMillan. “The concept of a master patient index that is accurate is still a myth, making identification all the harder when we want instant access and greater sharing.”
Further, the sector will also face challenges in managing data restrictions, which are applied manually in different systems. McMillan added that the “automatic pushing of records or information will create steep challenges for hospitals unless artifact-based access is applied to the data itself and not just simple rule-based access to the patient.”
The information blocking rule discusses ways to apply the current HIPAA rule for breach handling and reporting, but McMillan explained that it “assumes much better control over releases of information with simple one-to-one relationships.”
McMillan added: “In this new environment, how far does the provider’s responsibility extend with respect to a breach? How will issues with data integrity and liability be handled in an extended scenario?”
Healthcare organizations have until early May to respond to the information blocking proposal, which will hopefully address some of these concerns. The EHR Association recently asked for an extension of the comment period to allow for adequate review of rule.