In a continuing effort to make electronic health records not only more available but more useful, the Office of the National Coordinator for Health IT has released a 10-year roadmap for interoperability that includes security as a primary objective.
The nation’s healthcare records have gone digital, but as has been proved over and over again, putting information into an electronic format does not necessarily make it more useful. In an effort to make electronic health records more available and more useful, the Office of the National Coordinator for Health IT has released a 10-year roadmap for interoperability that includes security as a guiding principle.
The goal is to create a broader health IT fabric that includes not only health records, but information from a variety of sources to provide a holistic view of an individual’s health. This requires a system in which “health information flows seamlessly and is available to the right people, at the right place, at the right time,” rather than being held in data silos.
Key to this goal is the phrase “the right people.” If the sensitive information contained in our health records cannot be secured the entire effort not only fails, but has the potential to do more harm than good.
The national commitment to health IT began with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which intended to give every American electronic access to their health records. But six years later, as the roadmap notes, interoperability “remains a work in progress.” Creating the needed level of interoperability requires “implementing federally recognized, national interoperability standards and policies” to enable “innovating on a set of core standards.”
The roadmap lays out voluntary near-, mid- and long-term objectives for achieving this standardized, collaborative environment:
• 2015-2017: Send, receive, find and use priority data domains to improve health care quality and outcomes.
• 2018-2020: Expand data sources and users in the interoperable health IT ecosystem to improve health and lower costs.
• 2021-2024: Achieve nationwide interoperability to enable a learning health system, with the person at the center of a system that can continuously improve care, public health, and science through real-time data access.
Achieving these goals will require clarifying and aligning federal and state privacy and security requirements.
“The security of network infrastructure is pivotal to ensuring the success of nationwide interoperability to enable a learning health system,” the roadmap acknowledges. “As health IT systems have become increasingly connected to each other, cyber threats have concurrently increased at a significant rate.”
Unfortunately, there is little standardization in the security of electronic health records. There is great variability in the kinds and extent of security resources available among different organizations. Beyond technology, “there is also a significant need for behavioral and cultural change across the health IT ecosystem regarding cybersecurity,” the roadmap says. “Many in health care do not realize the significant risk to their health IT systems and do not understand the importance and urgency of implementing security best practices to prevent cyber-attacks.”
The document lays out milestones for achieving a “ubiquitous, secure network infrastructure”:
• 2015-2017: Send, receive, find and use priority data domains to improve healthcare quality. Developers and vendors must build security into all phases of the development lifecycle for health IT products and services that perform these functions.
• 2018-2020: Expand interoperable health IT and users to improve health and lower cost. Cybersecurity best practices and guidance will be developed for encryption, risk management, monitoring, and security testing for a variety of audiences.
• 2020-2024: A learning health system enabled by nationwide interoperability. At least 80 percent of healthcare organizations will have adopted the NIST Cybersecurity Framework for critical infrastructure or its equivalent.
Treating the nationwide healthcare IT system as a critical infrastructure is a sensible requirement for a system that touches so many lives so closely. Achieving these goals will take a great amount of effort. Let’s hope that government overseers, the healthcare industry and the IT industry have the will to stick to see this job through.