Security for Healthcare Information Exchange

In my role as vice-Chair of the HIT Standards Committee, I join many of the subcommittee calls debating the standards and implementation guidance needed to support meaningful use. Over the past few months, I've learned a great deal from the Privacy and Security Working group.

Here are my top 5 lessons about security for healthcare information exchange.

1. Security is not just about using the right standards or purchasing products that implement those standards, it's also about the infrastructure on which those products run and policies that define how they'll be used. A great software system that supports role-based security is not so useful if everyone is given the same role/access permissions. Running great software on a completely open wireless network could lead to compromise of privacy.

2. Security is an end to end process. The healthcare ecosystem is as vulnerable as its weakest link. Thus, each application, workstation, network, and server within an enterprise must be secured to a reasonable extent. Only by creating a secure enterprise can healthcare information exchange be secured between enterprises.

3. As stated in #1, policies define how security technology is used. However, the US does not have a single, unified healthcare privacy policy - we have 50 of them since state law pre-empts HIPAA. This means that products will need to have the technology capabilities to support heterogeneous policies. For example, a clinician may have simple username/password authentication, while a government agency might require a smart card, biometrics, or hardware token.

4. Security is a process, not a product. Every year hackers will innovate and security practices will need to be enhanced to protect confidentiality. Security is also a balance between ease of use and absolute protection. The most secure library in the world would be one that never checked out books.

5. Security is a function of budgets. I spend over $1 million per year on security work at BIDMC. Knowing that rural hospitals and small practitioners have limited budgets, we need to set security requirements at a pace they can afford. Imposing Department of Defense 'nuclear secrets' security technology on a small doctor's office is not feasible. Thus, the Privacy and Security Workgroup has developed a matrix of required minimum security standards to be implemented in 2011, 2013, 2015, realizing that some users will go beyond these minimums.

Privacy and Security is foundational to ARRA and Meaningful Use. Since patients will only trust EHRs if they believe their confidentiality is protected via good security, there will be increasing emphasis on better security technology and implementation over the next few years.

Although some may find increased security cumbersome, our goal of care coordination through health information exchange depends on robust security technology, infrastructure and best practices.