- The health security plan and privacy measures outlined in the Office of the National Coordinator (ONC) Interoperability Roadmap need further clarification, according to comments by the HIMSS EHR Association (EHRA) in a letter addressed to National Coordinator Karen DeSalvo, MD, MPH, MSc.
While the ONC draft did a good job in identifying necessary interoperability principles and a “careful and pragmatic approach” to emerging standards and technologies, some extra clarification is still needed.
“We need clarity on the scope of the privacy and security protections intended,” the EHRA letter writers explained. “The reference to ‘learning health system’ and introducing RESTful application programming interface (API) services imply a significant increase in the scope of the interoperability model to include a very broad spectrum of healthcare information systems, including consumer devices.”
Moreover, the privacy and security protections should apply to all system components involved in the interoperability use case – not only to the EHRs. The EHRA explained that the Roadmap should also clarify that the scope includes non-EHR system components.
The letter highlights the Roadmap discussion on patient identifying and matching. EHRs often have separate interoperability engines to communicate with other applications, the group explained. In that scenario, EHRA asked about the scope of the privacy and security rules. For example, would the certification process be limited to the interoperability engine or the electronic health record (EHR) and other systems communicating via the interoperability engine? This is why the Roadmap should apply privacy and security protections to all system components involved in the interoperability use case.
There must also be better training to ensure that the right privacy and security measures are being applied to keep health information secure, according to the EHRA.
“There is a strong need for training and education to be included in the Roadmap to change behavioral and cultural understanding of the relevance of cybersecurity risks,” the letter explained. “While industry can help promote some education, most of the burden is going to fall on the government.”
It will also be beneficial to understand how ONC envisions organizations exchanging information securely to encourage better cybersecurity. The EHRA says that it must be clear how the exchange occurs and what type of data (known threats, vulnerabilities, etc.) and listed several questions for ONC:
How would this be impacted by existing HIPAA business associate agreements?
Would this include application and/or system vulnerabilities?
Would there be a process and time period to allow a vendor or system owner to address discovered vulnerabilities without public disclosure?
Along similar lines, there must also be a uniform approach for cybersecurity enforcement. However, ONC must clarify if this will include measures such as unifying state regulations or improving the protections on patient/consumer devices.
The EHRA also spoke to data encryption, and explained that it is unnecessary to include an update for data “at rest” in the new Roadmap.
“The decision to encrypt data at rest should be based on threat analysis,” the letter explained. “It is important to differentiate between data at rest on mobile and removable devices (i.e., high risk) and data at rest in fixed secured facilities (i.e., lower risk). In each case, the value of encryption as a security control is limited to providing protection from direct media access but provides little or no protection from improperly accessed applications or hacked user accounts.”
The same suggestion applies to “in transit” data as well, as the EHRA stated that the current definition is sufficient. However, the organization added that any perceived gaps around data encryption for in transit data should be addressed to help further interoperability.
“The industry would benefit from any guidance ONC has to offer,” the EHRA explained. “However, encryption is one of many security controls available and any additional guidance would need to be holistic in its approach to addressing the larger issue of cybersecurity.”