Analysis: HHS' Revised Strategic Health IT PlanDo the Privacy and Security Provisions Come Up Short?
Federal regulators have issued a final version of a strategic health IT plan for 2015 to 2020, which is designed to help guide government activities. But some experts say the plan is thin on privacy and security measures, such as the need to update HIPAA to address evolving cyber threats.
See Also: 12 Top Cloud Threats of 2016
The plan "sets a blueprint ... to implement strategies that will support the nation's continued development of a responsive and secure health IT and information use infrastructure," according to a statement from the Department of Health and Human Services. "The plan's work aims to improve the health IT infrastructure, help transform healthcare delivery and improve individual and community health."
The revised plan includes an emphasis on secure health data exchange; continued development and enforcement of HIPAA privacy and security regulations; testing the security and privacy safeguards of certified health IT products; and promoting cyberthreat information sharing.
The HHS Office of the National Coordinator for Health IT worked with 35 federal partners in developing the plan, which also reflects input from more than 400 public comments ONC received on its draft version, which was unveiled last December (see Federal Strategic Health IT Plan Issued). As in the draft plan, privacy and security of health information are top priorities, but more details are provided.
Privacy, Security Objectives
While privacy and security objectives are woven throughout the plan, most are bundled within the broad federal goal to "enhance the U.S. health infrastructure." The plan sets out eight strategies for achieving the objective of protecting the privacy and security of electronic health information:
- Clarify requirements and expectations for secure and trusted exchange of electronic health information, consistent with applicable legal privacy protections and individuals' preferences, across states, networks and entities;
- Continue development, administration and enforcement of HIPAA privacy and security regulations for HIPAA covered entities and business associates;
- Continue enforcement of and guidance on applicable legal privacy and security requirements for entities not covered by HIPAA;
- Test certified health IT products to ensure they incorporate privacy and security safeguards required for certification under ONC's Health IT Certification Program;
- Develop and implement policies, practices and educational tools that advance interoperability while giving stakeholders confidence that privacy and security are maintained;
- Address cybersecurity risks in developing technologies and their use;
- Support, promote and enhance information sharing capabilities within the health and public health sector for bi-directional information sharing about cyber threats and vulnerabilities between the private health care industry and the federal government;
- Work toward uniform policy and technical approaches to electronically document individuals' privacy choices in a computable format that is accessible to individuals and available in culturally and linguistically appropriate language.
Good Start, But...
Security expert Mac McMillan, CEO of the consulting firm CynergisTek, contends that the plan is not aggressive enough in addressing privacy and security safeguards in a quickly evolving cyber threat landscape.
"We need an updated HIPAA Security Rule that is in step with other current standards for protecting data," he says. "We are enforcing an antiquated standard and we're not doing that very effectively."
Other observers also say the value of the plan will depend on the development of more privacy and security details.
"The key to making this strategic plan something real lies in deriving well-defined tactical tasks accompanied by metrics measuring maturity and identifying gaps," says Keith Fricke, principal consultant at tw-Security. "The credit card companies had that goal in mind when creating the Payment Card Industry Data Security Standard. A prescriptive roadmap provides clarity and direction."
PCI DSS offers more practical guidance than HIPAA, Fricke argues. "HIPAA is top heavy on administrative tasks - such as policies, procedures, plans, etc. - that do little to actual secure PHI via technical controls. PCI DSS is almost all technology and very specific in regard to the controls required and light on the administrative burden. I'm not aware of a cyberattacker being thwarted by some 'really good policies.'"
McMillan says the federal objective to enhance cyber threat information sharing is "absolutely overdue. Healthcare deserves the same level of information sharing with respect to [cyber threats] as any other critical infrastructure important to our nation."
Praise for the Vision
The College of Healthcare Information Management Executives, an association of healthcare CIOs, says it's generally supportive of ONC's strategic health IT plan, including the objectives to protect the privacy and security of patient data.
"We are encouraged to see in the plan a recognition of the role privacy and security will play in advancing interoperability and greater adoption of health IT," CHIME says in a statement. "We cannot achieve the promise of population health and other advances in patient care without the ability to fully and securely exchange data. This includes not just data between providers, but also establishing a framework for accepting the growth in patient-generated data."
CHIME notes, however, that there's room for refinement. "While the strategic plan is a good step in that direction, CHIME also believes that we must attend to such issues as patient identification and development of functional electronic clinical quality measures."
Tom Walsh, founder of consulting firm tw-Security, also says there's still plenty of work to do. "This is a 'strategic plan' so it is a high-level document that is supposed to help set direction for the industry as a whole," he says. "Therefore, there is a lot of fluff but not a lot of substance. It does not answer the tough, 'Who, How, and When' questions."
Nationwide Interoperability Roadmap
Within ONC's other objectives for enhancing the U.S. health infrastructure are plans to finalize and implement its roadmap for nationwide, interoperable, secure health data exchange. A draft of that roadmap was introduced earlier this year, and ONC is working on its next version, which will also reflect public input and is expected to be released by year-end (see A Roadmap for National Health Data Exchange).
In the strategic health IT plan, ONC says the objective to finalize and implement a nationwide interoperability roadmap is based on several key strategies. Those include:
- Federal partners collaborating with industry and public stakeholders to advance core technical standards for terminology and vocabulary, content and format, transport and security;
- Leveraging the ONC HIT Certification Program to ensure that a broad spectrum of health IT conforms to the technical standards necessary for capturing and exchanging information;
- Aiming toward privacy and security-related policies, practices and technology that keep pace with the expanded electronic exchange of information;
- Fostering a supportive business, clinical, cultural and regulatory environment that encourages interoperability;
- Publishing guidance that defines high-level principles for policies and business practices that advance trust and interoperability.
In the HHS statement, Karen DeSalvo, M.D., National Coordinator for Health IT, says, "Implementing the Federal Health IT Strategic Plan over the next five years drives toward a public-private partnership to achieve interoperability and will help the nation achieve important health outcomes, while remaining flexible to the evolving nature of healthcare and technology."
DeSalvo is awaiting Senate confirmation to take on a new role at HHS as assistant secretary. Once she takes on the new HHS job, she is expected to leave her position at ONC (see DeSalvo's ONC Departure: The Impact).