By Lee Barrett
Healthcare data longs to be free, but forces inside and outside healthcare still prevent the open exchange of protected health information (PHI).
One of the biggest challenges remains disparate information systems and the electronic health records (EHR) that all speak different languages, resisting easy translation from one platform to another. The industry is continuing to address the issue of proprietary vendor software, and therefore the lack of interoperability. Privacy and security regulations such as HIPAA also prohibit the unauthorized exchange of data and mandate protection from accidental or intentional release of PHI.
However, the winds have shifted in favor of greater flow of data among providers, facilities, and patients. As the industry moves toward value-based care and population health initiatives, government regulations bring a renewed focus on data interoperability. New interoperability rules that are part of the 21st Century Cures Act center on information blocking and patient data exchange. While the initial compliance date for information blocking rules (April 5, 2021) has passed, requirements for new standardized application programming interface (API) functionality have been delayed until December 31, 2022.
The data sharing that networks need for free-flowing information is only as strong as the weakest link—a troubling prospect for organizations expected to share data with upstream and downstream providers that might be less security conscious. Fortunately, emerging certification programs can level the playing field to help ensure that data exchanges remain secure.
Security vital for healthcare data networks
Healthcare data has always been prized by cybercriminals because of the range of demographic and personally identifiable information that patient health records contain. As a result, these records carry a very high value on the black market. Records often include Social Security numbers, along with addresses and other contact information, which makes it easy to apply for credit, open fraudulent accounts, submit fraudulent healthcare claims, purchase prescriptions and durable medical equipment, and more—costing the healthcare system millions.
The number of reported healthcare data breaches set a record in 2019 that was broken last year in 2020 with 237 incidents. Across industries, 22 billion records of personal information were exposed, with the largest share coming from healthcare. In the first two months of 2021, 56 healthcare breaches have been reported, so the unfortunate record-setting trends likely will continue. Ransomware attacks accounted for 55% of healthcare breaches, followed by email/phishing (21%) and insider threats (7%), which shows that vulnerable data networks are being compromised.
Another study indicated that ransomware attacks cost healthcare organizations nearly $21 billion in downtime in 2020, double the 2019 amount. More than 18 million patient records were compromised during 2020 attacks, a 470% increase from the previous year.
The cost of a healthcare data breach tops all other industries for the 10th straight year at a cost of $7.13 million, nearly more than twice the remediation cost of other industries. What’s more, a healthcare breach takes an average of 11 months to uncover, leaving lots of time for criminals to make off with critical patient data.
Hospitals and health systems are especially vulnerable
Hospitals and health systems are particularly vulnerable due to the 24/7 nature of healthcare and the sheer number of technology systems that are required to operate a modern healthcare facility. A typical hospital operates 150-plus technology systems, including the current EHR, lab and imaging systems, cardiology software, pharmacy, ADT (admission, discharge, transfer) systems, monitoring and medical devices, archival systems, and legacy systems required for specialized queries or research. APIs connect these disparate systems, and the weakest link across the entire information-sharing chain can become the entry point for cybercriminals.
A cross-industry study shows more than half (54%) of companies using APIs have only a basic security strategy, with 27% reporting having no security strategy. Issues were reported by 91% of companies. Top security issues include vulnerabilities (54%), authentication issues (46%), bot/scraping (20%), and denial of service attacks (19%).
Mobile health apps are particularly vulnerable, a study indicates. Among the top 30 mobile health apps, 100% were vulnerable to broken object level authorization (BOLA) attacks, which occur when an app doesn’t adequately authenticate a user but allows access to information. Research also showed that 50% of APIs did not authenticate requests with tokens, and a similar percentage of accessed records showed sensitive patient data, including Social Security numbers, birthdates, allergies, and other data.
As the news release for the study states, “The findings demonstrate that the security standards required for compliance with U.S. government FHIR/SMART standards merely represent a subset of the steps needed to secure mobile apps and the APIs which enable apps to retrieve data and interoperate with data resources and other applications.”
Certification programs provide security, peace of mind
There is an increased—and increasingly mandated—use of APIs to share healthcare data as supported by the Office of the National Coordinator for Health Information Technology (ONC), including the 21st Century Cures Act, the Trusted Exchange Framework and Common Agreement (TEFCA), and other regulatory initiatives. Given this, healthcare organizations need a higher level of authentication security, which is where certification programs can help.
Two nonprofit standards organizations have teamed up to offer the Trusted Dynamic Registration & Authentication Accreditation Program (TDRAAP), which supports the interoperability requirements within the ONC’s Cures Act Final Rule and related CMS Interoperability and Patient Access Final Rule.
TDRAAP is designed to help healthcare organizations and application developers demonstrate their ability to use trusted digital certificates for endpoint identity, registration, authentication, and attribute discovery for electronic healthcare transactions in real time. The program was developed jointly by the Electronic Healthcare Network Accreditation Commission (EHNAC) and UDAP.org.
Two certification programs are offered:
- TDRAAP-Basic offers privacy and security self-attestation with targeted validation, and the included UDAP technical framework certification demonstrates the trustworthiness of an entity’s end-to-end API. It is designed specifically for developers of consumer-facing apps, also referred to as a patient’s “app of their choice,” as used in workflows mandated by ONC and CMS that include SMART app launch with individual sign-on. TDRAAP-Basic supports the use of individual queries for “one-patient-at-a-time FHIR data access” using credentials issued by the healthcare system that publishes the API.
- TDRAAP-Comprehensive combines the extensive privacy and security requirements and in-depth validation of traditional EHNAC accreditation programs with UDAP technical framework certification. It is designed for a diverse cross-section of organizations and systems choosing to demonstrate full HIPAA/HITECH privacy security compliance and supporting all relevant UDAP workflows, including those for privileged client app or provider access such as in bulk data, broadcast, or targeted cross-organizational queries. Program candidates include payers, providers, mobile app developers, health information exchanges (HIE), health information networks (HIN), identity and credential service providers, financial institutions, regulatory agencies, defense contractors, and clearinghouses, as well as EHR, security, and cloud vendors.
Interoperability isn’t a passing fad. Rather, it’s the way 21st-century healthcare gets delivered, and TDRAAP addresses the incompatibilities between systems and applications. Cybersecurity threats aren’t a passing fad either, so healthcare organizations, app developers, and others who interact with healthcare IT systems must protect themselves against the vulnerabilities that APIs represent and demonstrate stakeholder trust.
Certification programs like TDRAAP can help more healthcare data to be truly free—and adequately protected—while demonstrating the level of stakeholder trust that the healthcare ecosystem needs.
Lee Barrett is executive director and CEO of the Electronic Healthcare Network Accreditation Commission (EHNAC). There, he works on key HIT industry initiatives that lay the foundation for health information technology—including support and implementation of key healthcare legislative mandates—and speaks nationally regarding security, privacy, ransomware, and cybersecurity risk management/assessment and mitigation strategies, tactics, and best practices. He is a member of both the Executive Steering Committee for the ONC Payer + Provider FAST FHIR Task Force and the HHS Cybersecurity Task Force (405d), and chair of the National Trust Network Data Sharing and Cybersecurity Task Group.