September 27, 2019

Toby Gouker • VP and CISO

Interoperability, meet Security

Among its many benefits, interoperability provides a more cohesive view of patient data that can improve the quality and value of care. When healthcare data can flow between providers and be presented in universal fashion, clinicians can more quickly access patient information, use that information to inform their diagnosis, and allow them to provide the best possible care in a timely fashion. Unfortunately, when healthcare data flows freely, there is the potential for malicious activities to also flow freely. Breaking down communications barriers can also break down many of the defense-in-depth practices that cybersecurity professionals undertake to protect the confidentiality, integrity and availability of patient care information.

Healthcare stakeholders are continuously adding new technologies to assist with their interoperability objectives. Unfortunately, the rush to complete new integrations or build new apps may lead to application interface gaps and system vulnerabilities. With regard to medical devices in particular, the FDA recently released a position statement: “Including an electronic data interface on a medical device may have an impact on the security and other risk management considerations for the medical device, the network, and other interfaced devices.” The FDA also wrote that “analysis of risks due to both the intended and unintended access of the medical device through the interface should be considered.” The CHIME organization has also weighed in on cybersecurity concerns when it comes to interoperability. “As we increase interoperability, additional threats to data integrity will arise,” CHIME President and CEO Russell Branzell and Board Chair Shafiq Rab told the HELP committee, “Without proper safeguards, the safe and secure transmission of sensitive data will continue to be a challenge and will hinder efforts to care outcomes.”

For organizations investing in and enabling interoperability initiatives, First recommends a number of items be taken into consideration. Interoperability affects infrastructure, access and communication flows across a healthcare enterprise. Ensuring that security and privacy requirements are embedded into every layer of the infrastructure is critical to maintaining the integrity of defense-in-depth principals that are so important to an enterprise’s cybersecurity. This includes mechanisms to validate the practices and standards of third-party apps and APIs that allow more flexible sharing of data.

Beyond ensuring a sound infrastructure, First recommends that healthcare systems include a mechanism for providers to verify that all access requests for information are authorized, and each entity with access to individuals’ data be responsible for appropriately securing and using that data. In addition, clinical owners should be identified for all data repositories so that cybersecurity personnel can form a partnership in deciding how data is handled.

Since interoperability is all about data in motion, First recommends that extra attention be given to the proper transmission of healthcare data. More than any other data transmissions, healthcare system data must end up in the correct location 100% of the time, be 100% complete, and 100% secure. By design, interoperability system components must communicate with each other securely. First recommends working with all service providers or vendors to establish a standard security exchange protocol, such as HTTPS, LDAP or SAML otherwise, systems have inherent vulnerabilities that can be exploited.

More on information blocking and privacy (consent) in the next post as First anticipates news on the interoperability final rule and these key issues in the near future.