TriRivers Health Partners agreed to a deal back in October 2012 with RSA, EMC’s security division, to augment its security architecture, but there is value in taking time to integrate these types of products into current security environments. HealthITSecurity.com caught up with TriRivers CEO Phil Wasson to hear how their new security venture was progressing and learn more about its health information exchange (HIE) privacy plans.
TriRivers Health Partners of Rockford, IL is a joint venture Healthcare Information Technology Organization that is sponsored by SwedishAmerican Health System and FHN (formerly Freeport Health Network). It hasn’t rolled out all of RSA security management solutions, but is starting to implement some new cloud-based technology that requires the organization to ensure it has its privacy and security policies in place.
Wasson explained that TriHealth is acquiring virtual cloud technology that allows it to make the most of tenant-based cloud services. And in conjunction with those efforts, it is planning on implementing firewall technology that supports tenant-based firewall management services on top of the RSA package. “RSA as a security model would allow us to do things like security and loss prevention, governance risk compliance (GRC) on a tenant basis,” Wasson said. “And helping with one of our reporting organizations achieve security requirements.”
Deciding how to use the RSA products
Wasson is still in the process of figuring out how best Archer eGRC Suite, RSA Data Loss Prevention (DLP) Suite, RSA enVision security monitoring solution and products from the Greenplum division such as Data Computing Appliance (DCA)
Right now, we haven’t figured out how we would integrate Archer in with our current security components. What I’m assuming is we’ll end up writing an API of some kind from our HIE into Archer for GRC management. I don’t know that we’ll use an Archer product to capture information, but we’ve a lot of interface development and we’ll work with EMC and our other vendor on an API for that.
He added that TriRivers is going to take a look at Greenplum to see if it can use a plugin from one of its other vendors so customers looking to do centralized big data reporting with ACO types can do so. But he said ensuring the data is deidentified is also a big part of that effort. Wasson said Greenplum can be used for retrospective logging for HIPAA compliance and also prospective logging for future threat analysis.
Managing HIE security
TriRivers, in concert with Northern Illinois University for Health, has worked with more than 25 Northern Illinois healthcare stakeholders to apply for an HIE grant for Medical Transport Area No. 9. TriRivers is beginning to implement an HIE based on Europe’s epSOS model, which is quite a bit different than U.S. HIE development right now because it uses the eHealth framework and will delivered as an HIE service over the cloud.
We want to work with EHR vendors on [securing the data], but they’re still approaching it in a very proprietary manner. Basic privacy and consent is a requirement of the health information system provider. The vendors don’t always see it that way right now, but I think over time it’s going to change. For example, when a patient gets registered, they might automatically opt into an HIE and they’re being registered into a product and EMR system. If they’re not already in the HIE or there’s a question about the privacy and consent requirements, we’re going to be able to launch a branded HIE page from the HIE.
There is also the potential, according to Wasson, to individualize patient opt-outs. If, for example, a patient says they don’t want to opt in, the HIE needs to launch a branded page and ask them if their data can be exchanged with an emergency room or PCP if needed. Patients can pick from Basic Patient Privacy Consents (BPPC) granularities and healthcare providers can “break the glass”, but BPPC requires you to follow state requirements. The problem with non-consolidated HIEs, said Wasson, is some patient data needs to be redacted, such as diseases or behavioral health.
TriRivers seems to be doing well in implementing these interesting security technologies at its own pace. How it continues to work the RSA products into its architecture and ramp up its HIE will be worth watching going forward.