informa
4 min read
article

White House Report Addresses Security Of Healthcare Exchanges

Strong authentication, encryption, log auditing key to keeping electronic healthcare information safe
Healthcare breaches rose dramatically this year, while new data shows securing patient data is a low priority at most healthcare organizations -- all amid the backdrop of the industry's adoption of electronic medical records (EMRs).

Meanwhile, the White House appointed President's Council of Advisors on Science and Technology (PCAST), which includes experts from academia, nongovernmental organizations, and industry, published a report late last week that calls for the federal government to set up a universal standard of sorts for the secure exchange of health information electronically among various hospitals and institutions, as well as ways to fund the development of healthcare information exchanges.

Among the key concerns in the healthcare industry's transition to EMRs is the security of so-called healthcare exchanges -- networks that serve as the vehicle whereby doctors, labs, insurance companies, and other related parties share patient information electronically.

Steve Archer, head of Verizon's Innovation Incubation Group, says he thinks the movement to electronic health records ultimately will improve the security and privacy of patient data. "It has to get better when you look at the whole ecosystem of healthcare," Archer says. But with all of the parties coming online, including major physician groups, healthcare organizations, and even small doctors' offices, there's bound to be some weak links initially, he notes.

The bottom line is healthcare providers gather more than just medical records. "They are collecting personal, medical, and financial information," he says. "They've got all of this coming together, so there's a rich opportunity for bad people to do malicious things with it. So security has to be made stronger and tighter."

Rick Kam, president of ID Experts -- which commissioned a recent Ponemon Institute study on healthcare security that found the healthcare industry is now suffering breaches to the tune of $6 billion per year, yet 70 percent of healthcare organizations say securing patient data isn't a priority -- says healthcare exchanges as well as small to midsize healthcare practitioners are the biggest security risk in EMRs.

Verizon, meanwhile, is offering the 2.3 million healthcare provider members of its own Medical Data Exchange free multifactor, strong authentication. "Stronger identities is of the big" requirements for making healthcare exchanges more secure for patient information-sharing, Verizon's Archer says.

The White House's new "Realizing the Full Potential of Health Information Technology to Improve Healthcare for Americans: The Path Forward" recommendations are an important step toward helping make the move to EMRs more secure than the status quo, according to Archer.

"In order for electronic sharing of health information, you've got to have standards people are going to follow," he says. And requiring stronger authentication, encryption, and auditing of logs are also a big piece of the security and privacy puzzle here, he notes.

"It all comes down to nonrepudiation -- audit logs, digital signatures, [and] the ability to see, manage, and maintain with a higher level of confidence of who is looking and where the information is being passed," he says.

The PCAST report (PDF) says the best way to manage and store healthcare data is to break it down into small, individual pieces that then be exchanged or aggregated using data tagging and metatag data. The report points to XML as a potential universal exchange language. Tagging data would also provide better privacy and security, according to the report. There would be no centralized federal database of patient health information, either.

Meanwhile, the recent Ponemon Institute report found that 40 percent of healthcare organizations learned they had been hit by a data breach after a patient complaint, and 63 percent of healthcare organizations took one to six months to resolve a breach. Overall, 56 percent have either fully deployed or are in the process of deploying an EMR system, and 74 percent of those that have them say it better secures patient data.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.