The Health Data Interoperability Highway Is Coming. Is Your Organization Ready?

Lee Barrett, Commission Executive Director of DirectTrust

Not many of us remember a time when there weren’t interstates widely available to help us get to where we need to go. Winding roads and sleepy towns can be nostalgic, but they’re not great time savers when time is of the essence.

At a macro level, The Trusted Exchange Framework and Common Agreement (TEFCA) promises to be the interoperability superhighway for healthcare data, speeding information on patients from care facility and care provider — regardless of location or healthcare entity — to where it’s currently needed. That could be a routine visit with a new provider or it could be a life-and-death situation where an unconscious patient is wheeled into the Emergency Department with no family member present to provide any context about the patient, co-morbidities, or prescriptions.

But the superhighway of anything isn’t without hazards, unless careful planning occurs, as happened with the U.S. interstate system. When building began on the interstate system in 1956, the death rate per 1 million miles driven was 6.28. Today, that figure is 1.46 deaths per 1 million miles — a testament to diligent efforts to build continually safer highways, design safer cars, adopt speed limits, and provide ongoing oversight.

A similar effort will be needed for TEFCA to fulfill its promise to free patient information from the siloes where it currently resides without compromising the privacy and security of that data, which points to the utility of accreditation and certification among those who exchange data to help keep privileged information safe.

Safeguarding information is always a matter of the weakest link. The most secure data network or hospital system can be undone by a third-party vendor with lax security controls that has network access through an API or some other method. Likewise, the tightest security controls can be breached through a phishing or social engineering attack that compromises a single individual, then attempts to move through the network to gain more control.

As the saying in cybersecurity goes, bad actors only need to succeed once to infiltrate a network, which means that hospitals, health systems, providers, care centers, business associates, and other third parties must adopt and implement stringent security protocols and good cybersecurity hygiene to keep data safe.

Interoperability will undoubtedly increase the number of risk vectors that exist at every exchange point. Now, instead of the security of a single system, with all of its individual connections, it will be thousands of systems, each of which has hundreds — if not thousands — of individual connections.

Large vendors and state and multistate health information networks (HINs) have already expressed interest in making application to the Recognized Coordinating Entity (RCE) contracted by the Office of the National Coordinator (ONC) to gain designation as qualified health information networks (QHINs), which will serve as the communications hub of the network to route queries, responses, documents, and more among those who are exchanging data. Those already announcing their intentions to apply to become QHINs include EHR vendor Epic, ambulatory EHR and practice management solution vendor NextGen Healthcare, the CommonWell Health Alliance, clinical data exchange network Kno2, and CRISP Shared Services, which provides the infrastructure for five statewide HIEs.

Healthcare must get a handle on cybersecurity

The Office of the National Coordinator (ONC) for Health Information Technology named The Sequoia Project as the recognized coordinating entity (RCE) responsible for developing the common agreement for TEFCA and setting baseline technical, legal, privacy, and security requirements to fulfill the promise of interoperability.

Sequoia will designate and monitor QHINs to ensure they are collaborating effectively and abiding by the terms of the common agreement. The details of the common agreement will include technical specifications and minimal security standards for QHINs and others to participate in data exchange. The stakes are high — healthcare providers and business associates continue to be hit by ransomware attacks and data breaches. The healthcare industry incurs the highest costs to remediate breaches, at more than $10 million per incident, almost double the second most-affected industry.

Given healthcare’s poor record at keeping protected health information (PHI) safe, security experts fear that interoperability will increase the number of attacks, undermining the intended purpose of making data more accessible among providers, patients, and care facilities.

A recent survey of CIOs and CISOs across industries showed that 80% reported a breach within the past 12 months that started with a third-party vendor. In fact, the average respondent reported they had been breached 2.5 times in this manner in the last year. 

What’s clear is that many entities operating in the healthcare ecosystem still lack the needed tools, experience, and cyber rigor required to significantly reduce the risk of a cyberattack.

Trusted Network Accreditation Program

EHNAC and HITRUST have long promoted the secure exchange of healthcare data through accreditation and certification programs. The organizations have teamed up to offer the Trusted Network Accreditation Program (TNAP), designed to comply with TEFCA regulatory standards to address security and privacy requirements. The HITRUST R2 has been named as part of the Security Standard Operating Procedure (SOP) for those entities that make application to the RCE seeking QHIN designation as a QHIN. There may be other certifications named in the future, but the HITRUST R2 certification, required as part of TNAP, is currently the only security certification designated by the RCE to meet the requirements of the common agreement.

The TNAP program is designed to accommodate stakeholders that will exchange data, including QHINs, other health information networks, health information exchanges, accountable care organizations, data registries, labs, providers, payers, vendors, and suppliers. It requires the HITRUST R2 Validated Assessment and a third-party assessment against EHNAC’s TEFCA-specific requirements outside of just information security.

As TEFCA regulations change, the accreditation program will be updated to keep pace and maintain a laser-like focus on the security and privacy of data within a network and during transmission, while also monitoring business practices and management of human and physical resources.

Data interoperability has been an objective since the first electronic healthcare records systems came online in the 1960s, and the concept picked up the pace about 30 years ago. After many stops and starts, the ideal of true data interchange is closer than ever. But healthcare organizations must recognize that the industry does not have a stellar track record of safeguarding protected health information, which makes certifications and accreditation programs vital and required to ensure confidence in interoperability.

About Lee Barrett

Lee Barrett is the Commission Executive Director of DirectTrust, and includes contributions by Michael Parisi, Vice President of Adoption, HITRUST.