Ensuring Security and Privacy in the HIE Market - Redspin Information Security
1. Industry Brief
Ensuring Security and Privacy in the Rapidly Growing
Healthcare Information Exchange Market
Recently, the first major distribution of HITECH Act Healthcare Information Exchange Background
funds occurred when the Department of Health
and Human Services (HHS) awarded over $547
The fundamental forces behind the adoption of
million to states and territories for the establishment
HIEs are pressures for modernization, improved
of public Health Information Exchanges (HIEs).
effectiveness of business processes, and increased
These exchanges are intended to provide the
management efficiencies. Most healthcare providers
technology and infrastructure to support electronic
in the United States still rely on paper records to
sharing of data among hospitals, physicians,
maintain, store, and share patient’s information. This
clinical laboratories, pharmacies, health plans
results in slow and cumbersome communications,
(insurers), and public health departments. The
often contributes to improper treatment, and lacks
adoption of HIEs offers benefits to both providers
the capability to secure information at many points
and patients resulting from the electronic sharing
in the system. HIEs address these deficiencies by
The adoption of HIEs of health information such as improved quality of
facilitating the sharing of electronic health information
care, increased patient safety, reduced cost and
by delivering services and technology that allow
offers benefits to both increased efficiency of administrative functions.
providers to request and receive information about
However, HIEs may also increase the potential for
providers and patients patients from other providers. A simplified model of
misuse of data and they provide a high value target
an HIE is shown in Figure 1.
resulting from the for cyber crime organizations. This brief explores
best practices for ensuring security and privacy
electronic sharing of within HIE deployments and considers both the
health information such business and technology driven forces shaping this
emerging market.
as improved quality of
care, increased patient
safety, reduced cost, and
increased efficiency of
administrative functions.
Laboratories Physician’s Office
Healthcare
Information
Exchange
Public Health Dept.
Hospital
Physician’s Office Public Health Dept.
Redspin, Inc.
800-721-9177 Figure 1. Simplified View of a Healthcare Information Exchange
www.redspin.com
Page 1
2. While HIEs have been getting significant attention
lately because of the infusion of government money,
Qual Rptg
efforts to establish organizations that enable the
Imaging
EMR-b
EMR-a
App-n
sharing of electronic healthcare information began
One of the major in the early 1990s. These organizations, called
Community Health Information Networks, evolved
challenges to overcoming into Regional Health Information Organizations
in the early 2000s. In 2009, according to the API
driving HIE success, is
eHealth Initiative (ref.1), there are 57 HIEs in a
associated with ensuring fully operational state and nearly 100 others not HIE Cloud
yet operational but readying market engagement “Platform as a Service”
security and privacy, plans. 2010 represents a crucial year for HIEs
as well as efficiently as states form and deploy their strategic and Figure 2. HIE Cloud Platform
operational plans, and product vendors as well as
demonstrating compliance service providers position themselves to tap into the
with HIPAA and HITECH funding.
Act requirements. Emerging HIE Deployment Models
The platform as a service model can be very
powerful in the HIE environment because security
One of the major challenges to overcoming driving and privacy services can be leveraged by the
HIE success, is associated with ensuring security applications as well as the providers and consumers
and privacy, as well as efficiently demonstrating of the information. However, for rapid deployment
compliance with HIPAA and HITECH Act and efficient ongoing operations, it is critical the
requirements. With user requirements ranging providers of healthcare cloud services communicate
from large hospitals to small physician’s offices, security, privacy, and compliance practices and
answers to basic questions such as appropriate procedures to customers in a transparent fashion.
technical protection mechanisms, and access The hospitals, laboratories, and physician practices
controls present significant challenges (ref.2,3). To that form the customer base of the HIE need to be
a certain extent, forming the appropriate answers to able to understand this information and ensure their
questions of security and privacy requires definition security, privacy, and compliance needs are met.
of the compute and storage model that will be most The following sections explore various domains of
prevalent in the environment. In many respects, the governance and operation that are relevant in HIE
leading model that is emerging in the HIE market deployments and provide guidance for optimizing
is that of a cloud services based platform. In this security and privacy both for platform providers as
model the cloud service provider is responsible for well as end customers.
providing highly scalable services, authorization,
access control, audit logging, and data protection. HIE Privacy and Security Considerations
Many vendors such as Axolotl, Covisint, IBM,
Microsoft HealthVault/Amalga, and Medicity have
announced offerings in some form. These have The following sections form an outline for driving
included API’s that allow specialized applications optimization of security, privacy, and compliance
to be developed rapidly while taking advantage of management processes and practices for HIE
the core infrastructure services. Example applications platform providers, operators, and customers. These
range from clinical decision support to meaningful considerations have been derived from general
use reporting. An illustration of this framework is purpose work done by the Cloud Security Alliance
shown in Figure 2. and the Open Group (ref.4,5) that covers security
in cloud services environments in forms ranging from
Infrastructure as a Service (IaaS) to Software as a
Service (SaaS).
Redspin, Inc.
800-721-9177
www.redspin.com 1. eHealth Initiative; Migrating Toward Meaningful Use: The State of Health Information Exchange; August 2009
2. New England Journal of Medicine; The Use of Electronic Healthcare Records in U.S. Hospitals; April 2009
3. U.S. General Accounting Office; Electronic Personal Health Information Exchange – Healthcare Entities’ Reported
Disclosure Practices and Effects on Quality of Care; February 2010
4. Cloud Security Alliance; Security Guidance for Critical Areas of Focus in Cloud Computing v2.1; December 2009
Page 2 5. The Open Group; Jericho Forum Cloud Computing Self-Assessment; March 2010
3. Operational Considerations to ensure compliance as well as enabling customers
to leverage their existing identity stores.
Virtualization
Virtual machine technology is a key enabler of Incident Response
efficient cloud services. Operators and customers
Platform providers need The same principles that make cloud services
need to be concerned about the practices for
deployments economically efficient can add
to build in security compartmentalizing and hardening VM systems.
Platform providers need to be able to communicate confusion and complexity in the case of a data
processes that facilitate their security processes surrounding these systems. breach or general security incident. It is critical for
Particular attention must be placed on the security customers to insist upon a prearranged plan and
effective and efficient understand the communications mechanisms with
controls used to protect administrative interfaces
operation of a Security exposed to operators and customers. the operator’s incident response team. Platform
providers need to build in security processes
Operations Center (SOC). that facilitate effective and efficient operation
Encryption and Key Management of a Security Operations Center (SOC). This
This should include a
Strong encryption is one of the core mechanisms should include a security information and event
security information for protecting sensitive healthcare data. Although management (SIEM) system that consolidates data
encryption itself does not prevent data loss, safe sources such as application logs, firewall logs and
and event management harbor provisions associated with state laws network monitoring systems into a common analysis
(SIEM) system that and HIPAA regulations treat encrypted data as and alerting center.
acceptable loss. Customers and operators need
consolidates data sources to understand the provisions for encrypting data Business Continuity and Disaster Recovery
such as application logs, at rest, data in transit, and data stored on backup The rapid pace of change and in some cases
media. Platform providers need to articulate their the lack of transparency associated with cloud
firewall logs and network encryption programs and methods associated with computing, requires that customers closely examine
monitoring systems into key management. Important areas to understand and continuously monitor the business continuity
with respect to key management include protection and disaster recovery capabilities built in by cloud
a common analysis and mechanisms for key stores, access procedures to platform providers and implemented by operators.
key stores, and key backup/recovery processes. Customers need to ensure that recovery time
alerting center.
objectives are well defined in contractual documents
Application Security and that operational capabilities can satisfy these
As the application layer provides the most prevalent requirements.
avenue of attack for cyber criminals and hackers, Governance Considerations
particular attention must be paid to this area.
Applications require design, testing, and change Governance
management rigor similar to business critical Effective information security governance calls
applications typically residing in a classic DMZ. In for collaboration among customers, operators,
an HIE, platform providers are delivering their own and cloud platform providers. Programs must be
applications as well as providing system services, structured to scale with business requirements,
API’s, and libraries. Platform providers should also provide measurability, sustainability, and continuous
ensure consistent usage of application management improvement as well as cost effectiveness on an
utilities and coupling to external services. ongoing basis. Customer organizations should
include a review of information security governance
Identity and Access Management and processes as part of their due diligence in
Effective management of identity and access control assessing operational organizations. The review
is one of the most significant challenges in the should also include specific security controls that
healthcare IT sector and presents multiple compliance support management processes.
issues. Platform providers, operators, and customers
need to understand several major areas including Risk Management
provisioning, authentication, authorization, Given the lack of control over infrastructure and
federation, and user profile management. As facilities in cloud services deployments, service
an example, coordination across stakeholders level agreements, business associate agreements,
groups is essential to provide a consistent single and contractual obligations, and platform
sign-on authentication across applications from documentation play a larger role than with
multiple sources. Platform providers need to clearly traditional on premise healthcare IT systems. A well
Redspin, Inc. communicate their security processes in these areas
800-721-9177
www.redspin.com
Page 3
4. structured risk management approach must include Information Management
identification and valuation of assets, ongoing The value of an HIE is dependent upon effective
analysis of threats and vulnerabilities coupled with information management across the lifecycle from
their potential impact on the assets, analysis of the creation to destruction. Customers, operators, and
likelihood of scenarios, and the development of cloud platform providers all play critical roles. In the
programs to manage risk (control, avoid, transfer, data creation phase, the cloud platform provider and
accept). The risk management program should be application developers must work with customers to
facilitated by the cloud platform provider, carried identify data labeling and classification capabilities.
out by the operating organization, and reflected in To protect stored data the operators and cloud
service agreements with customers. platform providers must identify appropriate access
controls and encryption solutions. Data in use must
Compliance and Audit be protected by application logic and object level
HIE customers are subject to HIPAA and HITECH controls within DBMS systems. Archived data should
Act regulations as well as other state or industry be encrypted with a key management process
mandated requirements. Customers should involve consistent with other data protection mechanisms.
legal and contract teams to ensure their particular Data destruction can be accomplished through
compliance requirements will be met given the a variety of means ranging from disk wiping to
cloud platform intended for deployment and the physical destruction. Content discovery may be used
operational procedures in place. Customers should as a mechanism to confirm destruction processes.
insist upon a right to audit clause in contracts given Summary
the fluid nature of regulations in the healthcare
The HIE market will evolve rapidly over the next
industry. The cloud services provider should offer
year. Effective and efficient information security
a SAS 70 Type II audit statement as a minimum
management is a condition for success in the
requirement and point of reference for assessors.
case of customers, operators, and cloud platform
Since HIEs are offering mission critical services and
providers. We’ve shown that maximizing the impact
protecting high value data, cloud services providers
of the promise of HIE systems will require close
should strive for ISO/IEC 27001 certification for
cooperation in the information security management
information security management systems. Consider
area among all parties involved and the payback
a security assessment focusing on HIPAA and
will come in both economic benefits as well as
HITECH act compliance to facilitate the process.
improved patient outcomes.
About Redspin
Redspin is a leading provider of Information Security Assessment solutions that utilize a top-down, risk-
based approach to providing a gap analysis of companies’ infrastructures. Companies can reduce risk,
improve compliance, and increase the value of their business unit and IT portfolio by relying on Redspin
as their objective information security partner. By leveraging our award-winning security engineers,
Redspin presents detailed and actionable recommendations that provide cost-effective mitigation
measures and specific prioritized findings, enabling you to resolve your network vulnerabilities. With
more than 10 years of expertise, Redspin delivers its services to companies over a wide range of
industries including banks/financial services, healthcare, Fortune 1000, retailers/eCommerce, and
technology providers.
WHEN YOU REALLY WANT TO KNOW... CALL REDSPIN
Phone
800-721-9177
Web
WWW.REDSPIN.COM
Email
INFO@REDSPIN.COM
Page 4