Increasing reports of cyber theft of patient information via hacking—most recently of UCLA Health System, EHR vendor Medical Informatics Engineering and its patient portal NoMoreClipboard, and, earlier, of Anthem and Premera—suggest these data breaches will continue as criminals increasingly seeking out medical data because the data contain links to financial and insurance information. According to DirectTrust President and CEO David C. Kibbe, MD MBA, “The reason healthcare data are so vulnerable is, in a word, neglect. Despite the rich trove of data it stores, the healthcare industry has not taken security as seriously as other sectors of the economy, where privacy breaches have occurred for several years and systems have been hardened to protect against intruders.” DirectTrust is a health care industry alliance created by and for participants in the Direct exchange network used for secure, interoperable exchange of health information.
“Ironically, the push to make healthcare information systems more interoperable, and the rush into mobile and wearable healthcare applications may be increasing the vulnerability of health information to hacking events,” Dr. Kibbe continued. “Fortunately, there are a number of things that can be done to improve security and better protect the privacy of healthcare information transferred by and stored in the health information technology (HIT) systems used by healthcare providers across the spectrum.”
Following are Dr. Kibbe’s suggestions for improving privacy and security protections for electronic health information exchange (HIE):
- Use multi-factor authentication (MFA). This is the single most important step healthcare IT professionals and their organizations can take to decrease the threat of the hackers gaining access to sensitive health information. MFA replaces reliance on the eminently “hackable,” single ID and password, providing stronger, more secure ways to prove someone is really authorized for such access.
- Encrypt data both in transit and being stored. Data encrypted at rest does not guarantee it remains encrypted as it traverses a network. Both types of encryption are necessary to prevent hackers from accessing “over the wire” encrypted content that fails to remain encrypted once it’s reached its destination. Using both types of encryption safeguards must occur in tandem; they are not automatic.
- Training, training and more training. Security experts agree: strong security is more about people than it is about technology. Communicating and training users on data security policies and practices need to be constant and done with vigilance for users to spot and avoid the ever-new techniques hackers employ to trick them into unwitting participation in a hacker scheme. Employees who don’t know how hackers and their schemes work are the ones most likely to be taken in by a hack.
“Electronic health information exchange provides healthcare providers with numerous benefits, primarily due to the increased efficiencies it affords. To avoid the risks—and potential hardship to users—healthcare providers need to become as familiar with standard security improvements and privacy protections as their counterparts in other industries have. Instituting these three actions alone goes a long way toward improving the security and privacy protection of electronic healthcare data,” Dr. Kibbe concluded.
DirectTrust is a three-year old, non-profit, competitively neutral, self-regulatory entity created by and for participants in the Direct community, including Health Internet Service Providers (HISPs), Certificate Authorities (CAs), and Registration Authorities (RAs), doctors, patients and vendors, and supports both provider-to-provider as well as patient-to-provider Direct exchange. DirectTrust recently received a Cooperative Agreement Award from ONC as part of the Exemplar HIE Governance Program. DirectTrust serves as a forum and governance body for persons and entities engaged in Directed exchange of electronic health information as part of the Nationwide Health Information Network (NwHIN). DirectTrust’s Security and Trust Framework is the basis for the voluntary accreditation of service providers implementing Directed health information exchange.
The goal of DirectTrust.org is to develop, promote and, as necessary, help enforce the rules and best practices necessary to maintain security and trust within the Direct community, consistent with the HITECH Act and the governance rules for the NwHIN established by ONC.DirectTrust.org is committed to fostering widespread public confidence in the Direct exchange of health information. To learn more, visit www.directtrust.org.