Spring 2024 Issue
Data Security: Safeguards to Consider in the Era of Interoperability
By Bart Howe
For The Record
Vol. 36 No. 2 P. 28
A patient’s health care record, and access to it, is extremely valuable. Consider the following statistics:
• Medical records are up to 50 times more valuable than stolen credit cards on the black market.1
• The health care industry is a target for cyberattacks at a rate 100% to 200% more than that of any other industry.1
• 95% of all identify theft comes from stolen health care records.2
We’re all trusted stewards of patient health care data, and based on these stats, that burden is getting very heavy.
At the same time, the interconnected health care ecosystem we’ve talked about for years is finally starting to make some real progress, thanks to regulatory initiatives from the Office of the National Coordinator for Health Information Technology. Interoperability has always been the future, but that future is now. So how do we keep health care data safe as we are increasingly automating access to it? Unfortunately, there’s no silver bullet here, but read on for some perspective and suggestions that can help you move in the right direction.
The Interoperability Landscape
Regulatory initiatives like the CMS Interoperability and Patient Access Rule and the Trusted Exchange Framework and Common Agreement (TEFCA) are driving increased action in the interoperability space. While the regulatory landscape is vast and beyond the scope of this article, some basic information about TEFCA is necessary. TEFCA is the result of the 21st Century Cures Act, which required the Office of the National Coordinator for Health Information Technology to build a national pathway for interoperability. TEFCA is the foundation of a national interoperability solution for patient data access, and will establish a common language, a set of common terms, and principles to support the development of data exchange.
While it’s too early to tell if TEFCA will be the true interoperability foundation it promises, the reason it’s an important part of this conversation is that it marks the next step in the interoperability journey from promise to reality. TEFCA entered the critical pilot phase late last year, and that pilot continues to expand. Alongside TEFCA, other networks like Carequality are gaining a lot of steam. The result? More patient data is actively being exchanged through automation each and every day.
Balancing Access and Security
So how do we go about protecting these vulnerable, valuable health care records speeding across the pipes laid for interoperability? It has to be a balance between access and privacy. Faster access to health care data is incredibly valuable, but automated access must come with the appropriate privacy protections.
Interoperability needs safeguards as data automation increases. One of the reasons those stats at the beginning of this article are so unnerving is that cyber criminals continue to get better at “beating the system” as automation increases.3 Just recently, a cybersecurity attack at a large health care IT provider halted pharmacy activity at hospitals across the country for an extended period of time. It’s a scary example demonstrating that no one is immune from these increasingly sophisticated attacks.
Think about automated access like a physical building—even if you’re automating access through badges, you still want to know when people badge in and out and what they take with them when they leave—snacks? office supplies? hard drives? Is it a big deal if someone grabs a granola bar and walks out? No. Is it a big deal if they walk out with a hard drive with all your intellectual property on it? Yes. Just as with a physical building, once the doors are open to your EMR, there are a lot of different elements that can be accessed, and it’s important to understand what they are and who has access to what.
So What’s a Diligent Organization to Do?
Start by gaining a clear understanding of how much access is available through each of your automated connections and keep in mind that the answer could be broader than the use case. For example, if you have an application programming interface (API) use case that allows access to certain billing information, is that billing information the only thing that’s accessible through the API or could more data be accessible? Even if additional access is inadvertent and not exploited for nefarious purposes, the point is that as a steward of your patients’ protected health information, it’s important to understand the depth of access to patient data across these different digital connections.
Once you understand what data is accessible through which connections, the next step is to think through the right safeguards for that data. This is where we get into the flip side of the access coin—privacy. API, and FHIR connections may seem safe because they’re between you and another trusted vendor like an EMR or a payer. And while that’s true on some level, there are two key data security implications here. The first is that any type of access point increases the potential for cyberattacks—there’s just no way around it. And the second is that even with a trusted party, you still have a responsibility to ensure that they are only accessing the amount and type of patient data they have the right to access.
Here are a few questions to consider as you start to think through access vs privacy:
• What security measures do you and your vendors have in place to keep bad actors away from your data? (Think SOC 2 compliance and cybersecurity protections.)
• What data is accessible through this particular connection? Could the connection provide access to more data than you’re comfortable sharing with that particular party?
• Are there quality control safeguards in place to ensure the final output of the data meets the desired use case? For example, in the release of information context, there are so many nuances to what is actually released based on each individual request. Make sure that automation isn’t pulling an entire record and sharing it when only a portion of the record has been authorized for release.
Interoperability has the potential to empower patients and providers with critical information in seconds vs days, weeks, or even months. It’s exciting to see secure data sharing initiatives gaining steam, with critical information being shared more broadly across the health care ecosystem. But interoperability cannot be a “set it and forget it” mindset. It needs to be managed carefully. Make sure that as you increase access points, you have a plan for keeping your patient data secure.
— Bart Howe is the CEO of HealthMark Group, a leader in digital health information management based in Dallas. In that role, he leads a team focused on developing patient-centric technology solutions that streamline the flow of health care data to promote information accessibility and workflow optimization without sacrificing privacy or security. He’s also president of the Association for Health Information Outsourcing Services. Howe was executive vice president of business development and corporate strategy at Caris Life Sciences, a pioneering leader in precision medicine, biotechnology, and molecular diagnostics, where he led global business development, corporate strategy, international distribution, marketing, and biopharma services. His entrepreneurial experience includes cofounding Ubiquitous Energy, Inc, a venture-backed solar energy technology company. He began his career in finance as an analyst at JPMorgan Chase. Howe holds a BBA in finance from Texas A&M University and a master’s degree in business administration from Harvard Business School.
References
1. Health and Human Services. Medical practitioners: cyber care is patient care. https://405d.hhs.gov/Documents/405d-medical-practitioner-cyber-hygiene-2.pdf
2. Onclave Networks. Largest healthcare data breaches reported in February 2022 confirms need for network security based on zero trust microsegmentation. GlobeNewswire website. https://www.globenewswire.com/en/news-release/2022/03/31/2413675/0/en/Largest-Healthcare-Data-Breaches-Reported-in-February-2022-Confirms-Need-for-Network-Security-Based-on-Zero-Trust-Microsegmentation.html. Published March 31, 2022.
3. Alder S. January 2024 healthcare data breach report. The HIPAA Journal website. https://www.hipaajournal.com/january-2024-healthcare-data-breach-report/. Published February 21, 2024.