Healthcare Information Security

Cybersecurity News

What protections will secure exchanging of patient health data?

By Kyle Murphy, PhD

- During second phase of the EHR Incentive Programs, the Centers for Medicare & Medicaid Services (CMS) will require eligible professionals and hospitals are expected to exchange protected health information (PHI) electronically along the continuum of care in order to achieve meaningful use. While moving these data between providers will improve the quality of care for patients, it will also raise concerns about the security of this information. “It’s the first time that the data is really leaving that patient portal or EHR and it has to be done with the method that’s been outlined by the Direct Project,” notes Bob Janacek, Founder and CTO of DataMotion.

To ease concerns over sending sensitive information over the wire, the Office of the National Coordinator for Health Information Technology (ONC) has spearheaded the Direct Project, which has worked with industry and subject-matter to experts to promote standards for pushing to health information securely from one provider to the next.

Direct employs secure/multipurpose internet mail extensions (S/MIME) and public-key infrastructure (PKI) managed by health information service providers (HISPs) to protect PHI from unauthorized access. As Janacek explains more simply, “You can establish a chain of trust and a chain of custody as that protected health information leaves a standalone system and crosses the internet to another system or whatever the other side is using.”

While health IT vendors have included secure messaging as a feature of many of its offerings (e.g., EHR systems, patient portals), they have largely dealt with information staying within a single ecosystem. The upcoming burden on participants in Stage 2 Meaningful Use, however, dramatically changes that. And the requirements for this next stage will include more than just messages but also documents and images.

Going forward, the challenge for system integrators and EHR developers is to balance security and ease of use for its providers. “In healthcare, it’s incredible important to have that security but at the same time it has to be easy to use,” observes Bill Lynch, Vice of President of IGI Health, a healthcare solutions provider. “What we’re seeing in this space is organizations that can move very quickly, obviously are cost-effective, and can deliver solutions that allow their clients to implement these new advanced workflows — we think those are going to be the winners.”

Seeking to strike a balance between security and ease of use, developers are engineering light application programing interfaces (APIs), such as the recently launched DataMotion Direct, which secure many different platforms beneath the presentation layer, what the user sees. “From a partner perspective, we have developed many APIs that can hook this secure messaging transparently with the applications that their customers are using,” continues Janacek, “A lot of times they don’t want to jump out of an environment and use secure messaging. They just want that environment to send a secure message.”

For clinicians and hospitals preparing for the next stage of meaningful use, they have roughly a year to not only get comfortable with exchange but also implement add-ons to their systems that will allow enable this functionality. The shift toward moving PHI outside of a secure system over the wire to another system means that those responsible for safeguarding these data understand the risks involved and the measures that must be taken to mitigate them.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...