Creating interoperability standards is a common goal in healthcare IT, especially with health information exchange (HIE) gaining significance in the industry, but how does security fit into the picture? Eric Heflin, Chief Technology Officer (CTO) at Texas Health Services Authority and interim CTO at HealtheWay, has worked with the New York eHealth Collaborative (NYeC) on interoperability standards that don’t put security considerations on the back burner.
Healtheway eHealth Exchange is the Nationwide Health Information Network Exchange and Heflin leads security work for the organization’s technical specifications. Heflin told HealthITSecurity.com at HIMSS13 that Healtheway and the NYeC, with the help of Certification Commission for Health Information Technology (CCHIT), takes an approach of testing in multiple layers, including security content.
The challenge is that standards have flexibility, which is the enemy of interoperability. We’ve collaborated with the HIE interoperability workgroup with eHealth Exchange to have constrained specifications and actually achieve interoperability. It’s based on their work and the work is going to be reflected in 500+ test cases. And a large number of those tests are focused around security considerations. For example, a responding system rejects a message if it is not properly digitally signed.
What does the “plug and play” interoperability goal mean for security?
Heflin and Anuj Desia, NYeC Director of Business Development, said multiple times in conversation at HIMSS13 that both groups want “plug and play” interoperability and Heflin maintained that security is a big part of that effort. He said that Healtheway and NYeC use non-proprietary methods for securing the data by using a public key infrastructure, which they use for three key purposes:
1. Identify each of the end points of the exchange to ensure they’re authentic and they are who they say they are.
2. They we use it use for the channel to encrypt the data as it goes back and forth.
3. And we use it to sign key elements of the content to make sure it hasn’t been tampered with.
Public key encryption is the container in which all of the other service-based protocols Healtheway and NYeC are using, except for Direct. For Direct, they’re using cryptographic message syntax (CMS). “[Using CMS] means all the clinical data in a Direct message is in a container that can be read by only one or more designated recipients,” Heflin said. “Security is a big part of our overall strategy.”
Another important part of these interoperability and security standards is forming a trusted framework, according to Heflin, where there are policies and common rules of the road. For example, the Data Use and Reciprocal Support Agreement (DURSA) is an important legal document because it establishes a framework of trust among all states and federal agencies. “When organizations agree to exchange data, they’ve agreed to the same trust framework,” Heflin said. “They’ll have the same IT security best practices, such as not giving passwords out or running machines without anti-virus software.”