Privacy and security are critical considerations when building a health information exchange (HIE) architecture. Knowing the “how” of securing a successful HIE’s data is important because there may be more players than some realize in the process. John Halamka, MD and CIO of Beth Israel Deaconess Medical Center (BIDMC), laid out the soup-to-nuts security certificate deliberations that Massachusetts went through as it built its Mass HIE during his keynote at last week’s HIMSS Privacy and Security Forum.
The Mass. HIE went live in October and many other stakeholders have taken part in the growing network. Here is the transcript of Halamka’s inside look into some HIE privacy policies and technical challenges:
Stage 2 Meaningful Use says share more data with more people for more purposes – oh but all at the same time, meet privacy and security requirements. So how do you deal with these two disparate goals? Well, we’ll each give our own perspective. Massachusetts says that it all depends on creating a trust fabric, which is based on policy and technology. If we’re going to send data to trusted entities, we need to ask, who are those entities? We’re going to have to allow some identity management and use certificates to identify trusted organizations. We better have pretty strong policies; Do we allow Massachusetts General Hospital [to share data with]? What about Joe’s endoscopy shack? Maybe not!
It’s more than just participation agreements and associate agreements; it’s ensuring the processes and policies are in place so that all entities that can exchange data are trusted. Based on policy, Massachusetts chose to have certain organizations that will sign participation agreements administered by the state government. So that means the executive office of the department of health and human services (HHS) and its CIO oversee the entire program of who gets in.
Once we were in, we hired a company (I have no affiliation with any company) – we chose Symantec – to issue certificates with the Symantec root to those individuals we found appropriately trustworthy to play in healthcare information exchange (HIE). And then we built the components, not modem or dial up, it is in fact pure gateways supporting different protocols: Simple Object Access Protocol (SOAP) protocols, Simple Mail Transport Protocol (SMTP), MIME (Multi-Purpose Internet Mail Extensions) protocols, and for organizations to exchange data between each other.
We did not issue certificates to individuals. You figure, in the Commonwealth there are 20,000 doctors and 150,000 or so staff members working in physician offices or payer organizations. Issuing certificates for 150,000 individuals is hard. Instead, we said well, we can take Blue, Harvard Pilgrim, Mass General, BIDMC, or a trusted organization in Pittsfield, and issue certificates to the organizations, which then issue them to the individuals. And by using a series of technologies, deliver payload to the network order of that organization once the network inside the network, the organization delivers it into the EHR via secure email or whatever mechanism the organization sees most appropriate to get the named individual.
So what we have is a series of Web services. I can look up “Who is John Halamka and where does he work?” – Oh he is a physician at BIDMC, I can retrieve a BIDMC public key, I can wrap a payload in that public key and send it via gateway to the BIDMC gateway by which it’s delivered to the named individual. And there’s auditing all along the way, with the entire process the whole way overseen legally and technically by the state government and hosted in a third-party cloud that is managed by a higher vendor but ultimately the state government is the contractual authority.
We recognized an interesting last-mile problem. Questions about payer-provider transmission such as “What do we do with these payers that want dial-up modems?” While that’s an unusual example, I think it’s fair to say that not every vendor that’s used in doctors’ offices is completely compliant with HIE standards. So we have three standards by which payloads can be delivered. A network appliance (Our HIE vendor makes a one-use server box available that’s capable of receiving these transmissions and then making them available through a variety of protocols inside the network. It could be an Health-Level Seven (HL7) TCP transaction, SOAP transaction, and so while the EHR may not support HIE natively, the fact that there’s this middleware appliance between the network (backbone) and EHR allows the admission of the payload in the EHR.
Some EHRs will allow the protocols that are required for delivery and then there are EHRs that are incapable of anything. So you hate to do it, but secure Web portals are a choice of last resort. We wish we didn’t have to do it at all because doctors hate the idea of breaking their workflow. “I’m in the middle of my EHR, oh I need to separately login to the Web portal to get my HIE data.” The state government that oversees the HIE process has a nice combination of state and federal funds to get a variety of tests done. So what we did our first year is establish the statewide provider directory, PKI certificate registry, the gateways, appliances and then build connections to some state government facilities.
The next step is to connect further state government functionalities so other things like public health submissions are easy. Then we get into a much harder problem. Since the session is about privacy and security, I’ll use this completely fictional example:
I show up at an ER unconscious and you have nothing but my driver’s license and you want to deliver safe, efficient care to me and want to pull data from everywhere in MA that you have consented to release it. I have psychiatric inpatient records at McClain Hospital, records at the Fenway Community Health Center for my HIV treatment, Betty Ford records and at BIDMC for flu vaccination. My privacy preferences, different for everyone, might be “I consent to disclose my flu vaccine, but I don’t want you to see my Betty Ford clinic visit because it’s not salient to today’s treatment.” So I have to opt in to disclose data ahead of time in a state-wide registry so that when I show up to the ER in the condition that I can’t consent, the clinician gets the data that I want the clinician to see. So what’s happening is a state-wide citizen index with attached to it the record-locator service. Those medical record numbers you have been known by at healthcare institutions in the Commonwealth and opt-in consent to disclose, stored centrally, of when those medical record networks can be released to whom.
Obviously, there’s a lot of security factors to think of technically, policy-wise and legally when building an HIE. The level of detail in sending out security certificates and determining how payloads are sent out is certainly helpful to understanding what the real security and privacy considerations are for CIOs, IT managers and CISOs.