Healthcare Interoperability & Security Must Coexist – Part 1



Healthcare data interoperability and security must coexist

Behind an 8-syllable word – Interoperability – is a suite of possibilities and challenges that some of the best brains in healthcare are trying to tackle. Interoperability, in theory, allows organizations to send data securely across different health IT systems and receive it in a readable, usable manner. But this vision is not yet a widespread reality. Sometimes referred to as facing an “interoperability crisis”, the industry still deals with the inability of physicians, patients, researchers, and others to quickly, securely and seamlessly share medical data with each other. The problem has been intensified by recent high-profile security breaches and ransomware infections, which spread all too easily through existing healthcare networks.

The lack of easy data sharing among caregivers and others has reached epidemic proportions, as health data exchange today is still largely accomplished via email attachments and fax transmissions. To make things worse, as the range of methods for data exchange has expanded, the number of vulnerable “attack surfaces”, IT resources potentially exposed to theft and compromise, has expanded as well.

As developers create an endless array of applications to improve healthcare, how can we solve the interoperability challenge without also opening medical data to further compromise? The problem may seem intractable, but it is not.

Interoperability and Security Are Not Mutually Exclusive

In some ways, interoperability and security appear to be antagonistic. After all, how can health data be more accessible without also being more vulnerable? How can health data be more available, and also be more secure?

From a security perspective, primary concerns with interoperability revolve around:

  • User authorization and authentication
  • Ease of access to health data
  • Auditing of data access and modification
  • Uniform identification of patients in various settings
  • Security of health data during transmission and at rest

These issues must be resolved and harmonized for true interoperability to flourish. At the same time, it must be remembered that the cash value of health data to criminals will always make it a tempting target.

Health data is prized by criminals, who routinely buy and sell large quantities in “darkweb” storefronts and use it for medical identity theft. And as more medical data gets digitized and goes online, its attractiveness to hackers and data thieves will only increase. Medical data is cash to criminals, and vast amounts of health data are being digitized at an increasing rate.

Digitization of Health Data is a Driving Force for Interoperability

The digitization of health data has been driven by powerful market forces. First, the introduction of so-called “practice management” software in the 70’s and 80’s helped medical practices reduce paper-based record-keeping. But a lack of standards at that time required users to manually input, update, and sometimes interpret data exchanged between disparate systems. This led to the introduction of the more comprehensive “Electronic Health Record” (EHR) systems we know today, along with Health Information Exchanges (HIEs). EHR adoption has been intensely stimulated since 2009 by the HITECH Act, which offers financial incentives to providers for adopting EHRs and putting them into widespread “meaningful use.”

The digitization of health information is creating an enormous collective body of data that includes legacy data converted to digital form and “native”, originally-digital records. Interoperability is needed in order to derive the greatest value from this growing mass, leverage new digital-centric opportunities to solve modern-day healthcare challenges, and to protect the data. Fortunately, existing law and legislative trends strongly support the development and growth of interoperability.

HIPAA Is No Obstacle to Interoperability

HIPAA requires healthcare entities to protect the confidentiality, integrity, and availability of individually identifiable health information, using a variety of administrative, physical, and technical safeguards specified in the HIPAA Regs. And while HIPAA is commonly thought of as restricting data flows and disclosures, which it does in part, the Regulations are also designed to promote and facilitate the rapid and unimpeded flow of health data for lawful purposes. HIPAA’s specific requirements must be integrated into interoperable systems, but the HIPAA Regulations are no obstacle to interoperability.

To learn more about the benefits of interoperability, and how to begin building interoperable solutions today, read Part 2 of this article.