If you’re not sure what your HIE should be doing, have a look at ONC’s health IT security resources.
I don’t envy the healthcare industry. On one hand, Meaningful Use wants providers to increase the flow of records and on the other, HIPAA wants them to decrease compromise. That’s a lot to have on your plate.
The quick, easy, and digital exchange of patient data has rocketed the healthcare industry light-years into the future. Health Information Exchanges (HIEs), for example, allow healthcare providers within a geographic area to contribute and access electronic patient data, usually to and from a centrally managed data repository.
I’m sure you can see how this would increase quality through all stages of the healthcare process. Now, all providers are linked together and can see, share, and provide additional data to a patient’s clinical context, potentially improving the timeliness and accuracy of care decisions and avoiding duplicate procedures.
BUT, exchanging patient data in a secure fashion is more difficult than it seems.
Perhaps that is why The Ponemon Institute reported that 72% of providers aren’t confident in the security and privacy of patient data shared via HIEs.
See also: SecurityMetrics HIPAA Guide
Let’s discuss HIE members. HIEs can connect tens of thousands of healthcare providers. But if HIE members do not have secure controls in place and one is breached, the HIE connection between all providers could potentially become a path to your patient data.
Data exchange also has legal liabilities as well. If an HIE member is breached, they can be brought to court by fellow HIE members in a civil lawsuit.
See also: The #1 Way to Help Your HIPAA Audits Go Faster
Some HIEs work hard to reinforce their systems against hackers, apply security best practices, and encourage each member’s individual data protections. Here’s a great example of one of them.
The Utah Health Information Network (UHIN) wanted to go further than just passing their OCR pilot audit with flying colors. To do that, they needed to get their members on board. They created a customized, already-paid-for member program that includes security consulting, a self-assessed risk analysis, external network vulnerability scans, and a breach protection checklist.
They also do a wonderful job of evaluating the clinical data being viewed, and who is viewing the data, to catch abnormal behavior (such as an attacker attempting to gain access) and block the activity.
This is a great example of an HIE protecting and bringing their members to the next level of security.
For those who truly wish to avoid a devastating data breach, ensure your HIE partner has the expertise, resources, and implemented safeguards to secure your patient data, no matter who it is exchanged with.
If you’re not sure what your HIE should be doing, have a look at ONC’s health IT security resources. They discuss security from the standpoint of an EHR user, but some of the same best practices should be followed by HIEs – such as encrypting all data maintained by the HIE, safeguarding its computer network with a firewall, and protecting its employee workstations with passwords and anti-virus software.
Find out what your HIE is doing for security. Challenge them on it. If you’re not satisfied, it’s time to go shopping.
.svg)
