Data security remains a challenge as interoperability moves closer to reality | Lee Barrett

The promise of open and transparent medical information has moved closer to reality now that the Trusted Exchange Framework and Common Agreement (TEFCA) has come into effect.

Launched in January 2022, TEFCA outlines a common set of principles, terms, and conditions to support nationwide exchange of electronic health information (EHI) across disparate health information networks and platforms. The Office of the National Coordinator (ONC), under the U.S. Department of Health and Human Services, expects initial testing for the first new networks sometime this year.

Patients with more than one medical provider know firsthand the frustration of compiling health information.

Physician A’s practice management system won’t talk to Physician B’s chosen electronic health record (EHR) or practice management technology, much less the imaging center, lab, surgery center, or hospital. Obtaining medical records requires phone calls, fax machines, and patience — and it often takes days or weeks — for a patient to acquire the needed records.

TEFCA’s goal is to make patient data accessible, creating a common framework for immediate information sharing. The challenge, however, is how to maintain and assure data privacy and security among so many more application program interfaces (APIs) and connections between data networks.

Accreditation and certification programs that promote standards, best practices, administrative simplification, open competition and protection of information exchange can help keep information safe and users confident in data-sharing networks.

The key is to assure stakeholder trust.

• Related story: Why cybersecurity is a threat to patient safety

Promise of TEFCA

True interoperability of patient data has been a goal for decades. Patient portals, personal health passports, in case of emergency (ICE) smartphone apps, and other technologies were held up as examples of how healthcare data was becoming more transparent.

However, anyone who has had to access multiple patient portals or attempted to get a medical record knows that significant obstacles remain.

Achieving broad adoption of interoperability undoubtedly will save lives. Consider an unconscious patient admitted to an emergency department (ED) today while on vacation away from local providers and facilities.

Without access to a complete health record, the attending physician is left in the dark about potentially critical allergies, comorbidities, and medications that can slow care delivery or cause possibly fatal interactions. One wrong move could prove fatal, but the patient needs immediate attention.

Take the same unconscious patient following the interoperability rollout. By entering the patient’s driver’s license number or other patient identifier into the electronic health records system, the physician can access data from other health information networks that share common functional and technical requirements for exchange — regardless of location. A complete patient data record is readily available in seconds for the attending physician and treatment can start immediately. Lower morbidity can be significantly improved.

As interoperability matures, it’s possible that using blockchain technology would open health networks even further.

An example of a blockchain use case would be a cancer patient who is eligible for an experimental treatment that requires signoff by the patient, multiple providers, and the insurance company. Instead of contacting each entity individually to gain approval and a written signature, a process that could take a month or more, a secure blockchain request could be electronically sent to all coordinating providers and the insurance company, which could digitally and securely sign in a day or two. This leads to a dramatic reduction in approval time and patient frustration as treatment can begin that much faster.

Data breaches continue upward trajectory

Any enthusiasm around TEFCA and interoperability must be tempered by the security and privacy issues healthcare companies continue to experience around protecting data networks.

• Related story: Cyberattacks threaten hospital systems

Healthcare data is under intense assault from bad actors, both domestic and foreign. According to the Office for Civil Rights’ Breach Portal, the so-called HIPAA “wall of shame,” 530 healthcare organizations experienced a breach in excess of 500 records in 2021, a year in which nearly 42 million patient records were compromised.

An overwhelming majority of incidents occur through hacking or some other type of malicious intent, which means the weakest link in any healthcare data transmission chain is the likeliest for exploitation. Year over year, healthcare ranks as the industry with the highest breach-related costs. These costs now top $9 million an incident.

“Certainly, security is going to be top of mind for everyone. It's a huge and ongoing challenge,” says Micky Tripathi, Ph.D., M.P.P., National Coordinator for Health Information Technology.

“I don't know that that's any different than it should be at any given time. But as we have more and more electronic health record penetration and more interoperability, certainly the security issues related to that rise equally. So that's one very big challenge that we have from a technical perspective.”

• Related story: How hospitals can improve cybersecurity

Accreditation or certification can help keep data flowing securely

TEFCA regulations call for qualified health information networks (QHINs) that agree to common terms of exchange, as well as functional and technical requirements. QHINs will form the communications hub of the TEFCA network, routing queries, responses, and messages among individuals, providers, and facilities that are exchanging data.

Standard methods of exchanging data continue to evolve, which can leave IT networks vulnerable. Even if the connection between healthcare networks is secure, what about the various APIs and other connections that each participating healthcare network also uses?

A pair of 2020 surveys revealed the depth of potential problems, as 80% of CIOs and CISOs reported experiencing a breach originating with a third party vendor in the last year. The second survey indicated that 44% of health system and hospitals failed to meet basic protocols under the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF).

Industry accreditation/certification of IT networks is a critical step positioning organizations toward meeting the interoperability challenge and instilling confidence and stakeholder trust that healthcare providers are exchanging data among themselves and with patients in a secure manner.

Conclusion

The age of true healthcare data interoperability may finally be dawning, but many critical issues remain to be settled, including how participating networks can ensure the security and privacy of their data connections to facilitate data exchange in a safe and compliant manner.

Healthcare organizations already must manage overall risk strategies and exposure internally and with covered entities and business associates. The tenets of interoperability through TEFCA extend those connections to other healthcare data networks. Industry accreditation/certification is important to promote adherence to standards and best practices while protecting the security, privacy and confidentiality of patient data and assuring stakeholder trust.

As Tripathi says, “At the end of the day, every place that is managing IT, the security is only as good as the policies that they implement, and their diligence around those policies and technologies.

“That's the bigger challenge: That we live in a very fragmented healthcare delivery system, and there's nothing that the federal government can do to say, let's just turn this crank, or flip this switch, and everyone will be secure,” says Tripathi. “It's really about constant diligence, constant awareness, and making sure that there's alignment and awareness of security issues.”

Lee Barrett is executive director and CEO of the Electronic Healthcare Network Accreditation Commission (EHNAC) where he continues to work on key HIT industry initiatives that lay the foundation for health information technology.