October is Cybersecurity Awareness Month, follow the conversation and do your part #BeCyberSmart.
Follow us this month as we engage our health IT community in cybersecurity awareness.
This is week 4 and the theme is Cybersecurity First. We have engaged EHNAC to share insights on this week’s theme.
By Lee Barrett, Executive Director and CEO, EHNAC
Twitter: @EHNAC
National Cybersecurity Awareness Month (NCSAM) continues to raise awareness about the importance of cybersecurity across our Nation. This is critical for the healthcare industry as organizations look to develop and maintain a high level of stakeholder trust when it comes to privacy and security.
Trust is a core component that must be met in order for the healthcare industry to safely, securely, and efficiently move sensitive data across the healthcare continuum in an interoperable manner. Interoperability rules set forth by the Office of the National Coordinator for Health Information Technology (ONC) that are part of the 21st Century Cures Act, center on information blocking and patient data. As a result, patients are increasingly able to view their health information using a FHIR app of their choice. Also, with the advent of new technologies, increased awareness, and better interoperability, the explosion in the use of these Client Apps is expected to continue.
Healthcare data has always been “prized” by cybercriminals because of the range of demographic and personally identifiable information that patient health records contain. In fact, the “black market” value of healthcare data has reached $800-$1000 as opposed to $1 for an individual’s social security or credit card record being compromised. Records often include Social Security numbers and birthdates, along with addresses and other contact information, which makes it easy to apply for credit or open fraudulent accounts, get their hands on pharmaceutical drugs and opioids, durable medical equipment, and submit fraudulent claims, etc.
Mobile health apps are particularly vulnerable, a study indicates. Among the top 30 mobile health apps, 100% were vulnerable to broken object level authorization (BOLA) attacks, which occur when an app doesn’t adequately authenticate a user but allows access to information.
Certification/Accreditation programs hold the key to safeguarding patient data
Given the mandates set forth so that healthcare data can easily be easily shared among stakeholders, healthcare organizations need a higher level of authentication security, which is where certification/accreditation programs can help.
Two nonprofit standards organizations have teamed up to offer the Trusted Dynamic Registration & Authentication Accreditation Program (TDRAAP), which supports the interoperability requirements within the Office of the National Coordinator’s (ONC’s) 21st Century Cures Act Final Rule and related CMS Interoperability and Patient Access Final Rule.
Developed jointly by the Electronic Healthcare Network Accreditation Commission (EHNAC) and UDAP.org, TDRAAP is designed to help healthcare organizations, technology vendors and application developers demonstrate their ability to use trusted digital certificates for endpoint identity, registration, authentication and attribute discovery for electronic healthcare transactions in real-time.
The program’s industry Glide Path roadmap offers a consistent methodology to be followed by healthcare stakeholders and actors during the collective move from basic OAuth 2.0 use to a more scalable and efficient framework providing advanced security and scalability through reusable client application, server, identity provider and end-user credentials.
Conclusion
It is expected that the HL7 FHIR standard will become core to the future of the interoperable healthcare ecosystem as there are many critical industry initiatives underway that demonstrate its adoption. And with the ONC expected to release the FHIR Roadmap in the near future for implementation in 2022, becoming accredited with TDRAAP will set the stage for the healthcare ecosystem compliance success.
Cyber criminals will continue to target the healthcare industry for the vast amounts of sensitive patient information that passes through their IT systems every second of every day and their value to them. That’s why healthcare organizations, app developers, and other stakeholders who interact with healthcare IT systems must protect themselves against these threats to the greatest degree possible while assuring their contingency plans are in place to mitigate their risk and impact. Certification/accreditation programs like TDRAAP can help protect more healthcare data at a time when the healthcare industry needs it now more than ever.