2. 2
ABSTRACT
The NwHIN is a nationwide project sponsored by the ONC to make patient data
available to providers and patients on-demand to improve the quality of healthcare,
save cost, improve care coordination among other huge benefits. HIE makes this
possible by connecting providers via the internet. Patient portals will also make the
information available to patients when they need it for care. When fully
implemented, this will make all the patient data of Americans available to providers
all over America. This is a breath-taking amount of data with huge market value
among attackers. Does the NwHIN have the capacity to protect this large amount of
data adequately in the light of today’s sophisticated attacks from insiders and
intruders? All the loopholes, concerns and challenges need to be identified and
addressed to ensure the safest approach is utilized to protect patient privacy.
1.0 INTRODUCTION
The Nationwide Health Information Network (NwHIN) is a set of standards, services
and policies that enable secure health information exchange over the Internet. The
network will provide a foundation for the exchange of health information across
diverse entities, within communities and across the country, helping to achieve the
goals of the HITECH Act.1
As part of its health IT agenda the Office of the National
Coordinator (ONC) for Health Information Technology (ONC) has provided funding
for a number of health IT programs, including the development of the Nationwide
Health Information Network. These standards, services, and policies will help move
health care from a system where patient information is stored in paper medical
records and carried from one doctor’s office to the next to a process where
information is stored and shared securely and electronically. Health information will
follow the patient and be available for clinical decision making as well as for uses
beyond direct patient care, such as measuring quality of care.
The Nationwide Health Information Network is NOT a physical network that runs on
servers at the U.S. Department of Health & Human Services, nor is it a large network
that stores patient records2
.
Health Information Exchange (HIE) makes access to cross-border patient information
possible by connecting patient data from several providers, making it available on-
demand through the internet. The 2009 Health Information Technology for
Economic and Clinical Health Act (HITECH Act) wanted this operational by 2014.
Although this goal hasn’t been reached, HITECH-funded HIE demonstration projects
are now underway in all states22
. This means that when the project is fully
operational, patient healthcare information will become available to healthcare
providers all over the US. Patients will also be able to access their own records via
the internet, opening up the platform potentially to every American or, in reality,
3. 3
everyone in the world who has internet access. Although data protection exists
through HIPAA and de-identification and encryption should be implemented, these
current privacy policies do not match up to the sophistication of today’s attacks.
With the huge data breaches in recent experience, the NwHIN privacy and security
regulations should be reviewed to improve security and protect patient privacy.
1.1 BACKGROUND AND HISTORY
ONC began to develop the NHIN in 2004. The first phase included development of
prototype architectures, and the second phase developed specifications and
services, and working constructs. In 2005, ONC established four consortia to
architect a standards-based, nationwide network for health data exchange. The
consortia developed a technical framework that defined several core NHIN services
which included, but was not limited to, locating and retrieving information, providing
consumers with access to personal health records, and identity management. The
consortia were followed by 16 contractors and grantees that developed ‘production-
ready’ systems which implemented the various core services3
.
The Health Information Technology for Economic and Clinical Health (HITECH) Act,
Title XIII of Division A and Title IV of Division B of the American Recovery and
Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5), was enacted on February 17, 2009.
The HITECH Act amended the Public Health Service Act (PHSA) and established “Title
XXX—Health Information Technology and Quality” to improve health care quality,
safety, and efficiency through the promotion of HIT and the electronic exchange of
health information. More specifically, section 3001(c)(8) of the PHSA, requires the
National Coordinator for Health Information Technology (National Coordinator) to
“establish a governance mechanism for the nationwide health information
network.”6
The American Recovery and Reinvestment Act (ARRA) of 2009 showed
the Federal government's unprecedented interest in increasing the use of health IT
to optimize the health care system. The ARRA devotes approximately $19 billion to
increasing participation in health information exchange (HIE). The goal was to create
regional health information organizations (RHIOs) that will ultimately be linked to
form a Nationwide Health Information Network.4
The NHIN has developed a comprehensive governance framework. The primary
artifact of the governance work is the Data Use and Reciprocal Sharing Agreement
(DURSA), a legal framework authorizing the exchange of protected health
information across the NHIN. The DURSA, at its core, provides privacy and security
for the information exchanged. It further describes the governance of the NHIN and
the requirements for those entities which desire to become part of the NHIN. The
technical, legal, and governance frameworks create a pathway for operational data
exchange to occur between HIEs in the near future.
4. 4
2.0 RELEVANT CONCEPTS AND DEFINITIONS
Health Information Exchange- HIE is the electronic exchange of individual medical
information with other health care providers. The term HIE is often used
interchangeably as a noun—an organization that exchanges health information—and
a verb—the exchange of health information. An HIE in its noun form may also be
called a health information organization (HIO), which administers the exchange of
health information22
.
Nationwide Health Information Network Exchange, which was formerly known as
the NHIN Cooperative, is a group of stakeholders and integrated delivery networks
that are collaborating to securely exchange health information electronically. The
group includes federal agencies, local, regional and state-level Health Information
Exchange Organizations (HIOs) and private organizations2
.
eHealth Exchange- In 2012, ONC announced the successful transition of the NwHIN
Exchange to eHealth Exchange. The eHealth Exchange is made up of federal agencies
and private partners that have implemented nationwide health information network
standards and services and executed the Data Use and Reciprocal Support
Agreement (DURSA), a legal agreement, in order to securely exchange electronic
health information. Participating organizations in eHealth Exchange mutually agree
to support these common set of standards and specifications8
.
Healtheway- Overseeing the eHealth Exchange and defined in the DURSA is the
Exchange Coordinating Committee. The committee designated Healtheway, a
nonprofit organization, to assume operational support of eHealth Exchange and was
effective October 1st, 2012. Healtheway will support eHealth Exchange with
“conformance and interoperability testing, onboarding of new participants in
eHealth Exchange, and maintenance of the DURSA, operating policies and
procedures, the service registry and digital certificates”8
.
The Direct Project- launched in March 2010, is developing standards and services
required to enable secure, directed health information exchange at a more local and
less complex level among trusted providers in support of stage 1 Meaningful Use
incentive requirements (e.g., a primary care provider sending a referral or care
summary to a local specialist electronically, or a physician requesting lab tests
electronically). This project will expand the existing Nationwide Health Information
Network standards and services, within a policy framework, to enable the simple,
direct, and secure transport of health information, between health care providers at
the local level and their patients2
.
CONNECT- is a free, open source software solution that supports health information
exchange – both locally and at the national level. CONNECT uses Nationwide Health
5. 5
Information Network standards, services, and policies to make sure that health
information exchanges are compatible with other exchanges being set up
throughout the country. CONNECT is the result of a unique collaboration among
federal agencies that is coordinated through the Federal Health Architecture
program under ONC. Now available for free to all organizations, CONNECT can be
used to help set up health information exchanges and share data using nationally
recognized interoperability standards. This software solution was initially developed
by federal agencies to support their health-related missions2
.
The Federal Health Architecture (FHA) is an E-Government Line of Business (LoB)
initiative designed to bring together the decision makers in federal health IT for
inter-agency collaboration -- resulting in effective health information exchange (HIE),
enhanced interoperability among federal health IT systems and efficient
coordination of shared services. FHA also supports federal agency adoption of
nationally-recognized standards and policies for efficient, secure HIE7
.
Standards Implementation and Testing Environment (SITE)- The SITE is a centralized
set of tools to assist developers of Health Information Technology in their efforts to
implement the standards required for certification of Electronic Health Record (EHR)
technology, and in general, enable health information interoperability. Additionally,
the SITE includes a live testing environment with validation and transport tools to
assist software developers12
.
3.0 SCALE OF PATIENT DATA AVAILABLE VIA NWHIN
A USA Today article16
in 2012 quoted the NwHIN as “largest consolidation of
personal data in the history of the republic”. This serves up critical information on
300 million American citizens on a platter. The alarmist approach taken by this and a
number of other authors like Brase Twiler15
underscore the enormity of the data the
health exchanges will make available real-time. Authors of the USA Today article
Stephen T. Parente and Paul Howard fear that “when the constantly updated
information is combined in a central data hub, the potential for abuse is staggering.
For one thing, the hub will have all the details needed to steal identities and
fraudulently access credit.”
A 2011 Bioinformatics paper24
showed that this problem is further complicated by
the large amount of health data being digitalized, always creating a demand to
publish the data for more intelligent use. Immense volumes of EHRs are published
every year for secondary use, such as medical research, public health, government
management, and other healthcare related services. When combined with other
data sources, sensitive patient information can be revealed.
6. 6
The goal of the HIE is to support care management by making it possible to generate
patient reports for use at the point of care anywhere. This is important for patients
traveling across the US or patients in emergency situations. This goal however
potentially exposes health data from every American on the health network to
queries, not only by the stipulated entities such as providers and public health
reporting, including immunization registries, but also attackers with varying motives.
Once electronic medical records are available everywhere, for all patients, though, it
is inevitable that more people will want access to this data. It is a goldmine for
medical research and all kinds of statistical analysis, for example.
4.0 POLICIES FOR SECURITY AND PRIVACY PROTECTION IN NwHIN
The security and privacy of health information continues to be a concern both
among individuals and organizations that handle such information.
The HIT ecosystem is built on patient data. Each visit to the physician or the hospital
creates records of personal data, much of which is being collected, stored and
transmitted electronically. There are important laws in place to try to protect patient
health information and give patients rights to keep mental health, substance abuse
and other highly sensitive data confidential. The best-known law in this area is
HIPAA. HIPAA was refined for the digital age by HITECH in two key areas: by
expanding the definition of Business Associates and by adding new breach response
provisions. In 2013, the U.S. Department of Health and Human Services’ (HHS) Office
of Civil Rights issued the final omnibus rule under HITECH amending the HIPAA
regulations.16
4.1 HIPAA
HIPAA therefore is the umbrella protection for data available on the NwHIN since the
data ultimately comes from the EMR. “HIPAA privacy regulations apply to medical
records in any format, which generally means paper or electronic. HIPAA regulates
so-called “covered entities,” which it defines as health care providers, health
insurers, and health care clearinghouses (an entity that standardizes health
information, such as a billing service that processes data into a standardized billing
format). HIEs or HIOs, which have access to patient health information because of
their role as a data exchange, must follow HIPAA regulations concerning the access,
use, disclosure, and confidentiality of patient medical records. They must also notify
patients about how the information will be used. In addition, HIPAA requires HIEs
and HIOs to have privacy and security policies and procedures in place to safeguard
patient health information when it is exchanged. These policies and procedures
specify who is authorized to access patient health information, and that the
information must be encrypted.”16
7. 7
The HIPAA privacy provisions provide rights to healthcare consumers (patients) such
as the right to receive a Notice of Privacy Practices explaining a Covered Entity’s
privacy practices. HIPAA also defines the circumstances under which Covered
Entities and Business Associates may share PHI without patient authorization, for
instance for treatment purposes or as required by law, and imposes administrative
requirements like training and sanctions on these entities. Patient’s employer client
whose benefits program qualifies as a GHP must fulfill all of these requirements.
HIPAA also imposes security standards on the use and disclosure of electronic PHI
(ePHI), which is central to HIT/HIE. These standards require Covered Entities and
Business Associates to perform risk analyses, address any risk gaps, implement an
emergency data management plan, and conduct audits, among others. It is a myth
that HIPAA “requires” encryption, but HHS does require entities to consider whether
it is feasible.16
Data breaches are central to HIPAA enforcement and to EHRs/HIEs. HITECH
introduced new requirements to report data breaches to individuals and the
government, and for large breaches, to the media. But there is a safe harbor for
breach reporting when data has been secured. HIPAA also permits a risk analysis to
determine whether the breach caused harm. An EHR may be pinged by a hacker, but
as long as data is not disclosed, or the data meets the secure PHI standard, there is
no breach. In almost all cases they must still be reported to the States where the
individuals live under State law.16
Breach reporting can be very expensive; taking
into account some recent mega-breaches, the cost of the average breach is $5.4
million.18
4.2 Risk Analysis Tools and Templates17
Effective Risk Analysis is crucial to any privacy and security strategy to safeguard
electronic patient information. The HIPAA Security Rule requires that covered
entities conduct a risk assessment of their healthcare organization. A risk assessment
helps organizations ensure they are compliant with HIPAA’s administrative, physical,
and technical safeguards. A risk assessment also helps reveal areas where
organization’s protected health information (PHI) could be at risk.
In addition to HIPAA, the ONC and HHS provide a reasonable amount of security and
privacy tools to improve the quality of protection for patient data. A number of them
include, but are not limited to:
Guide to Privacy and Security of Electronic Health Information, the ONC tool to help
small health care practices in particular succeed in their privacy and security
responsibilities. The Guide includes a sample seven-step approach for implementing
a security management process.
9. 9
• commensurate with circumstances for why health information is exchanged
(i.e., the further the information-sharing strays from a reasonable patient
expectation, the more time and education is required for the patient before
he or she makes a decision),
• not used for discriminatory purposes or as a condition for receiving medical
treatment,
• consistent with patient expectations, and
• revocable at any time.
Also with regard to HIEs, the committee recommended that both “opt-in” and “opt-
out” consent models were acceptable if the choice provided is meaningful. This
approach empowers patients to ‘control’ access to their data and avoid misuse.
Keep in mind that opt-in/opt-out consent requirement applies only to sharing your
medical records electronically. It does not supersede the HIPAA regulations or their
presumption of consent for the use of your medical information for purposes of
treatment, payment, and routine business operations.
In addition, there are some exceptions to opt-in consent to HIE, including emergency
situations—referred to as “break the glass”—when you (or a representative) are
unable to give consent for electronic access to your records. Mandatory public
health reporting is another exception. This would include, for example, reporting of
staph infections, including MRSA (methicillin-resistant Staphylococcus aureus);
communicable diseases; HIV/AIDS; and hospital-acquired infections16
.
Some state regulations, e.g. California, also allow you to revoke HIE consent. The
revocation becomes effective on the date it is made, and does not apply to health
information already exchanged prior to revocation.
4.4 Contracts16
Outsourcing information technology systems makes implementation easier but
presents numerous risks that are common to many software contracts. Some of
these issues include: establishing system prerequisites and protocols for
modifications and updates; enforcing service levels, including downtime; without
cause termination and transitions; third party license issues (would software licenses
be violated through integration with another vendor?); indemnification and
limitations of liability. Liability issues loom large if the vendor does not make
deadlines so that the organization may qualify for EHR monies. In 2012, Girard
Medical Center, located in rural Kansas, sued the Cerner Corporation for failing to
implement an EHR system timely and walking away from the project.19
EHR contracts
can require extensive negotiations, so covered entities must build in the necessary
time.
10. 10
Additionally, for HIEs that extend out into the community and beyond, participating
organizations in the HIE sign participation agreements. As end users, they agree to
use the system as it is intended to be used, and not to take advantage of the ready
access to the vast quantities of PHI submitted by other participants into the HIE. The
HIE creates a valuable store of ‘big data’ for interested parties. For instance, a device
supplier may be permitted to access HIE data on its patients for quality of care
purposes, but it should be prohibited from pulling down data on patients who
recently were treated in the emergency department for orthopaedic events in order
to market to those patients. Participation agreements must address other issues like
capturing patient consent; training staff; representations to input accurate
information; breach reporting; proper use of the HIE web and de- vice portals; and
compliance with the HIE’s policies and procedures.16
4.5 Data Segmentation20,21
Apart from the opt-in/opt-out approach, HIEs are offering more opportunities for
individuals to have some limited choice in what information is shared and with
whom, especially on certain types of sensitive data such as mental health, behavioral
health, HIV status, and genetic data. This is made possible through data
segmentation.
Data segmentation refers to the process of “sequestering from capture, access, or
view certain data elements that are perceived by a legal entity, institution,
organization or individual as being desirable to share.”22
There are, however, a number of challenges to implementing this feature. Current
clinical systems are not very sophisticated with respect to having the ability to parse
or segment specific data elements to apply the appropriate segmentation
algorithms. One key challenge is getting the data into structured data fields that can
be tagged and coded but this has met with sharp criticism by providers who have
reported frustration with drop-down lists that do not have the appropriate choice
available or that have hundreds of choices to scroll through to find the right one. In
addition, individuals and providers need to be engaged and motivated to implement
a new and different consent process.21
4.6 Others
Certain security measures and standards are being implemented under the DIRECT
project and the CONNECT platform that add a layer of protection to the search/push
interfaces that providers and patients will use to access patient data. More
information on these security standards may become available later.
11. 11
5.0 CYBERSECURITY THREATS TODAY
When electronic medical records become universally available under the NwHIN, the
number of locations and people interested in and accessing the information will also
increase. Even with access controls, technical security, and data breach laws and
regulations, increased accessibility will increase the risk of medical identity theft and
large-scale medical financial fraud.
A new 2016 Ponemon Study24
said “Criminal attacks from the outside and negligence
from the inside continue to put patient data in the crossfire, the newly released Sixth
Annual Benchmark Study on Privacy & Security of Healthcare Data reveals. For the
sixth year in a row, data breaches in healthcare are consistently high in terms of
volume, frequency, impact, and cost. Nearly 90 percent of healthcare organizations
represented in this study had a data breach in the past two years, and nearly half, or
45 percent, had more than five data breaches in the same time period. Estimates
based on the results of this study suggest that breaches could be costing the
healthcare industry a walloping $6.2 billion. The average cost of data breaches for
covered entities surveyed is now more than $2.2 million while average cost to
business associates in the study is more than $1 million”.24
With this scale of attack on healthcare, the industry is forced to come to terms with
the far-reaching impacts of these large-scale breaches. Current research on
protecting patient privacy in healthcare information systems are centralized around
the protection of EHR – that is to protect patient information from being abused by
authorized users, or being accessed by unauthorized outsiders, or being re-identified
from health data published for secondary use.23
The HIPAA Security Rule was implemented in 2002. Many such security regulations
far outdate the sophisticated level of attacks existing today. In this section, we
examine the various types of attacks possible on the NwHIN today. Some of which
the HIPAA security rule may not cover.
5.1 Security Concerns22
Health care providers will need to address several security issues including
encryption, use of personal mobile devices, and cloud storage.
5.1.1 Encryption is an “addressable” security standard under HIPAA. That means
covered entities must encrypt protected health information when it “is a reasonable
and appropriate safeguard.” (45 CFR § 164.312(a)(2)(iv)). When the HIPAA Security
Rule was implemented in 2002, encryption was expensive and challenging to use.
The result is that many covered entities still do not encrypt their data. With the
enormous amount of personal medical information that will be moving around
electronically as HIE gets underway and spreads, the U.S. Department of Health and
12. 12
Human Services (HHS), ONC and HIPAA need to make encryption a requirement and
set standards for its use.
5.1.2 Personal mobile devices- like smartphones, tablets and USB drives are
commoner today than in 2002. Health care providers often use their personal
unsecured devices to record and share unencrypted work-related health
information. The speed with which such devices have been adopted is well ahead of
policies that govern their use. At the outset of implementing HIE, one policy that
health care providers should consider for all mobile devices, including personal
devices, is allowing access to personal health data for viewing but not for download
and storage.
5.1.3 The cloud—that is, remote servers where more and more businesses are
moving their data—will be essential in an era of electronic health information
exchange because of the vast amount of data 300 million Americans will create.
Health care providers may also want to host their patient portals on cloud-based
servers. HIEs may also find it convenient to perform their data search and exchange
functions using cloud servers. But then, how good is cloud security? Cloud-based
data breaches have already occurred. Cloud services are developing more quickly
than laws or regulations can address. As a patient you’re unlikely to know where
your medical records actually reside. And you’re forced to rely on the security
practices of others to protect the privacy of your information.22
5.2 Threat Types25
As with every computer system, portal, hub or platform, threats and vulnerabilities
potentially exist for HIEs and the NwHIN.
Threats are potential events or dangers that may cause damage or inappropriate
access to information systems and the sensitive information they contain. Threats
may be malicious or accidental. They can damage a system or cause loss of
confidentiality, integrity, or availability. Vulnerabilities are system weaknesses that
can be exploited by a threat. Reducing system vulnerabilities can reduce the risk and
impact of threats to the system significantly.25
Threats to information security
include, but are not limited to, the following:
Authorized users: based on existing data, the greatest number of security breaches
to the NwHIN may likely involve authorized users who use information
inappropriately, such as viewing records without a business need.
Theft or loss: Computers, as well as the data they contain, are vulnerable to theft
and/or loss from inside and outside the organization. The increasing use of laptops,
tablets, smartphones and other handheld devices, along with portable media (i.e.,
external hard drives and USB thumb drives) makes potential inappropriate access to
PHI a greater threat, particularly if these devices lack encryption.
13. 13
Disgruntled employees: The greatest risk of sabotage to HIEs may stem from an
organization’s own employees and former employees. Sabotage may include
destruction of hardware or facilities, planting logic bombs that destroy programs or
data, entering data incorrectly, crashing systems, deleting data, or changing data.
Malicious code: Malicious code can attack both personal computers as well as more
sophisticated systems. It includes viruses, worms, Trojan horses, logic bombs, and
other software. Malicious code programs may play harmless pranks, such as
displaying unwanted phrases or graphics, or it may create serious problems by
destroying or altering data or crashing systems.
Hackers: Hackers are individuals who gain illegal entry into a computer system, often
without malicious intent but simply to see if they can do it. Although insiders
constitute the greatest threat to information security, the hacker problem is serious.
Systems accessible via remote access are particularly vulnerable to hacker activity.
Physical and facility threats: Losses may result from power failure (i.e., outages,
spikes, and brownouts), utility loss (i.e., loss of power, air conditioning, or heating),
water outages and leaks, sewer problems, fire, flood, earthquakes, storms, civil
unrest, or strikes.
Errors and omissions: End users, data entry clerks, system operators, and
programmers may make unintentional errors that contribute to security problems.
These errors create vulnerabilities, system crashes, and compromise data integrity.
5.3 Sophisticated Attacks
A 2014 Medcity article26
on the motivation for cyber attacks on healthcare data said
“Patient data is a commodity and depending on the market and other economic
factors, they can net around $50 to $120 per record, possibly more, given the media
attention.” “Noting that even if at the $50 end, for 4.5 million records, that amounts
to $225 million. “The big issue is really around does this create an economic
incentive for others?”26
This clearly reveals some of the motivation behind the consistent cyber attacks on
the healthcare industry. Many providers are said to be largely unprepared for the
scale of attacks they experience. Part of hackers’ growing sophistication is a direct
result of the vast number of attack methodologies at their disposal. They can pick
and choose among denial of service attacks, viruses, worms, trojans, malicious code,
phishing, malware, botnets and ransomware, any of which could play a key role in
opening business data centers to intrusion.27
5.3.1 Advanced persistent threats- APTs usually gain a foothold using socially
engineered Trojans or phishing attacks. A very popular method is for APT attackers
14. 14
to send a very specific phishing campaign -- known as spearphishing -- to multiple
employee email addresses. The phishing email contains a Trojan attachment, which
at least one employee is tricked into running. After the initial execution and first
computer takeover, APT attackers can compromise an entire enterprise in a matter
of hours. It's easy to accomplish, but a royal pain to clean up.29
5.3.2 Network-traveling worms- Computer viruses aren't much of a threat anymore,
but their network-traveling worm cousins are. Most organizations have had to fight
worms like Conficker and Zeus. We don't see the massive outbreaks of the past with
email attachment worms, but the network-traveling variety is able to hide far better
than its email relatives.29
5.3.3 Phishing attacks- often posing as a request for data from a trusted third party,
phishing attacks are sent via email and ask users to click on a link and enter their
personal data. Phishing emails have gotten much more sophisticated in recent years,
making it difficult for some people to discern a legitimate request for information
from a false one. Phishing emails often fall into the same category as spam, but are
more harmful than just a simple ad.28
5.3.4 Brute force password attacks- a third party trying to gain access to your
systems by cracking a user’s password using software that is typically run on their
own system. Programs use many methods to access accounts, including brute force
attacks made to guess passwords, as well as comparing various word combinations
against a dictionary file.28
5.3.5 Denial-of-Service (DoS) Attacks- focuses on disrupting the service to a
network. Attackers send high volumes of data or traffic through the network (i.e.
making lots of connection requests), until the network becomes overloaded and can
no longer function. There are a few different ways attackers can achieve DoS attacks,
but the most common is the distributed-denial-of-service (DDoS) attack. This
involves the attacker using multiple computers to send the traffic or data that will
overload the system. In many instances, a person may not even realize that his or
her computer has been hijacked and is contributing to the DDoS attack. Disrupting
service can have serious consequences relating to security and online access. Many
instances of large scale DoS attacks have been implemented as a sign of protest
toward governments or individuals and have led to severe punishment, including jail
time.30
5.3.6 Aggregation and Re-identification- patient privacy could be compromised with
the help of today’s information technologies. Private healthcare information could
be collected by aggregating and associating disparate pieces of information from
multiple online data sources including online social networks, public records and
search engine results. User identity and privacy are highly vulnerable to the
attribution, inference and aggregation attacks. People are highly identifiable to
15. 15
adversaries even with inaccurate information pieces about the target, with real data
analysis.23
5.3.7 “Man in the Middle” (MITM)- By impersonating the endpoints in an online
information exchange (i.e. the connection from your smartphone to a website), the
MITM can obtain information from the end user and the entity he or she is
communicating with. For example, if you are banking online, the man in the middle
would communicate with you by impersonating your bank, and communicate with
the bank by impersonating you. The man in the middle would then receive all of the
information transferred between both parties, which could include sensitive data,
such as bank accounts and personal information. Normally, a MITM gains access
through a non-encrypted wireless access point (i.e. one that doesn't use WAP, WPA,
WPA2 or other security measures). They would then have access to all of the
information being transferred between both parties.28
5.3.8 Drive-By Downloads- through malware on a legitimate website, a program is
downloaded to a user’s system just by visiting the site. It doesn’t require any type of
action by the user to download. Typically, a small snippet of code is downloaded to
the user’s system and that code then reaches out to another computer to get the
rest and download the program. It often exploits vulnerabilities in the user’s
operating system or in different programs, such as Java and Adobe.28
5.3.9 Malvertising- a way to compromise your computer with malicious code that is
downloaded to your system when you click on an affected ad. Cyber attackers
upload infected display ads to different sites using an ad network. These ads are
then distributed to sites that match certain keywords and search criteria. Once a
user clicks on one of these ads, some type of malware will be downloaded. Any
website or web publisher can be subjected to malvertising, and many don’t even
know they’ve been compromised.28
5.3.10 Rogue Software- Malware that masquerades as legitimate and necessary
security software that will keep your system safe. Rogue security software designers
make pop-up windows and alerts that look legitimate. These alerts advise the user to
download security software, agree to terms or update their current system in an
effort to stay protected. By clicking “yes” to any of these scenarios, the rogue
software is downloaded to the user’s computer.28
5.3.11 Ransomware attacks- Typically, the bad guys get in and use network
administration tools to map out where the assets in an organization are, such as the
electronic medical record system, billing system and insurance claims, criminals then
encrypt the data, rendering it impossible to access. When users can’t get access,
criminals provide the key — for a price.31
16. 16
“The attack on Hollywood Presbyterian Medical Center in Southern California earlier
this year, the first in a string of high-profile attacks on healthcare organizations,
highlights the challenges that ransomware poses. The perpetrators took out the
hospital’s entire network for more than a week, leaving staff without access to email
and critical patient data. The malware crippled the hospital’s emergency room and
other computer systems necessary for patient care, and forced hospital staff to log
medical records with pen and paper.” According to the Federal Bureau of
Investigation, ransomware victims in the first quarter of 2016 alone paid attackers
$209 million, and in 2015 producers of the CryptoWall ransomware attack generated
ransom of more than $300 million. The financial motivation for ransomware attacks
suggests that the threat is unlikely to go away any time soon. Ransomware has the
highest monetary value for cyber criminals. 32
6.0 HIE/NWHIN DATA PROTECTION POLICIES
The Electronic Healthcare Network Accreditation Commission (EHNAC)33
, which
established standard criteria for the accreditation of organizations that exchange
healthcare data recognizes the broader significance of NHIN integrity and has
developed a program that protects the integrity of HIEs. Designed for regional health
information organizations (RHIOs), community health data/network partnerships
and other groups that promote data sharing across multiple, independent
stakeholders, EHNAC’s HIE accreditation program assesses the privacy policies,
security measures, technical performance, business practices and organizational
resources of participating entities. In order to achieve ENHAC’s HIE accreditation, the
HIE must have specific measures in place including:
a. Policies for access to the exchange to ensure that those accessing the
exchange are permitted users;
b. Agreements to provide transparency, foster trust, and establish expectations
among participants;
c. Auditing and monitoring protocols to ensure that unauthorized access does
not occur;
d. User authentication to ensure that only the appropriate persons are
accessing the exchange;
e. Consumer consent policies to ensure consistent practices in obtaining
consumer consent;
f. Separate and distinguished databases that maintain specific information;
g. Governance to oversee the activities of the HIE, and ensure that appropriate
privacy and security standards are enforced;
h. Private and confidential data maintenance, with appropriate measures to
mitigate any potential violation or breach;
18. 18
9.0 REFERENCES
1. Nationwide Health Information Network. Indian Health Service.
https://www.ihs.gov/hie/index.cfm?module=dsp_hie_nwhin. Visited 9/9/16
2. Get the Facts about The Nationwide Health Information Network, Direct
Project, And Connect Software.
https://www.healthit.gov/sites/default/files/hie-interoperability/hitech-fs-
hin-facts-v1.pdf. Visited 9/9/16
3. Brian E Dixon, Atif Zafar, J Marc Overhage. A Framework for evaluating the
costs, effort, and value of nationwide health information exchange. Journal
of the American Medical Informatics Association May 2010, 17 (3) 295-301.
http://jamia.oxfordjournals.org/content/17/3/295?ref=vidupdatez.com/imag
e. Visited 9/9/16
4. Patricia Fontaine et al. Systematic Review of Health Information Exchange in
Primary Care Practices. J Am Board Fam Med September-October 2010 vol.
23 no. 5 655-670.
5. https://www.healthit.gov/policy-researchers-implementers/nwhin-history-
background. Visited 9/9/16
6. https://www.federalregister.gov/documents/2012/05/15/2012-
11775/nationwide-health-information-network-conditions-for-trusted-
exchange. Visited 9/9/16
7. https://www.healthit.gov/policy-researchers-implementers/federal-health-
architecture-fha. Visited 9/9/16
8. Roberta et al. NwHIN Exchange Completes Transition to eHealth Exchange.
Oct 11, 2012. http://www.hieanswers.net/nwhin-exchange-completes-
transition-to-ehealth-exchange/. Visited 9/9/16
9. Brian E Dixon, Atif Zafar, J Marc Overhage. A Framework for evaluating the
costs, effort, and value of nationwide health information exchange. Journal
of the American Medical Informatics Association. Volume 17, Issue 3. Pp. 295
– 301
10. Roberta Mullin. Healthcare IT news. Government and Policy. NHIN, NwHIN
and Healtheway. September 11, 2012.
http://www.healthcareitnews.com/news/nhin-nwhin-and-healtheway
11. Oregon Health & Science University OHSU Clinical Informatics Wiki.
http://clinfowiki.org/wiki/index.php/Nationwide_Health_Information_Netwo
rk. Visited 9/9/16
12. http://www.siframework.org/implementation.html. Visited 9/9/16
13. Leslie Lenert, David Sundwall, Michael Edward Lenert. Shifts in the
architecture of the Nationwide Health Information Network. Journal of the
19. 19
American Medical Informatics Association Jul 2012, 19 (4) 498-502; DOI:
10.1136/amiajnl-2011-000442. Visited 9/9/16
14. Brase, T. (2013). The affordable care act destroys privacy. Journal Of
American Physicians And Surgeons, (4), 108.
15. Parente ST, Howard P. Potential ObamaCare privacy nightmare. USA Today,
Dec 6, 2012. Available at: http://www.usatoday.com/
story/opinion/2012/12/06/column-potential-obamacare-
privacynightmare/175221 1/. Visited Sep 9, 2016.
16. Lisa W. Clark. Health Information Technology, Patient Data And Health Care
Reform: Rewards And Risks In The New Ecosystem. Pennsylvania Bar
Association.
http://www.duanemorris.com/articles/static/PABAR_clark_0414.pdf. Visited
9/9/16
17. https://www.healthit.gov/providers-professionals/ehr-privacy-
security/resources. Visited 9/9/16
18. Ponemon Institute, 2013 Cost of Data Breach Study, 5 (May 2013), available
at
https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Po
nemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf. Visited
9/9/16
19. Hospital District No. 1 of Crawford County v. Cerner Corporation, No. 12-CV-
02025 (Feb. 10, 2012) (First Amended Complaint).
20. https://www.healthit.gov/providers-professionals/patient-consent-
electronic-health-information-exchange. Visited 9/9/16
21. Raths, David. "How do we segment data for privacy? Local and national
projects aim to share data within the current limitations." Behavioral
Healthcare 35.3 (2015): 42+. Academic OneFile. Web.
22. California Medical Privacy Fact Sheet C6: Health Information Exchange: Is
Your Privacy Protected? https://www.privacyrights.org/fs/fsC6/CA-medical-
HIE#benefits-risks. Visited 8/10/16
23. New threats to health data privacy. Fengjun Li, Xukai Zou, Peng Liu, Jake Y
Chen. BMC Bioinformatics. 2011; 12(Suppl 12): S7. Published online 2011 Nov
24.
24. http://www.ponemon.org/blog/sixth-annual-benchmark-study-on-privacy-
security-of-healthcare-data?s=healthcare. Visited 9/9/16
25. William M. Miaoulis, Tom Walsh. AHIMA. “HIPAA Security Overview
(Updated).” (Updated December 2014).
http://library.ahima.org/doc?oid=300244#.V9NmlhSy-oI. Visited 9/9/16
26. DAN VEREL. Healthcare hackers see increasing profit in stealing patient data.
http://medcitynews.com/2014/08/healthcare-hackers-see-increasing-value-
patient-data/?trendmd-shared=0&rf=1. Aug 19, 2014. Visited 9/9/16
27. LANCE COTTRELL. Today’s Hackers Are Way More Sophisticated Than You
Think. http://readwrite.com/2015/02/04/sophisticated-hackers-defense-in-
depth/. February 4, 2015. Visited 9/9/16
28. Megan Sullivan. 8 Types of Cyber Attacks Your Business Needs to Avoid.
http://quickbooks.intuit.com/r/technology-and-security/8-types-of-cyber-
attacks-your-business-needs-to-avoid/. Visited 9/9/16
