NIST Tackles Health Data Exchange

Project Aims to Help Smaller Providers With Security

By , January 17, 2013.
NIST Tackles Health Data Exchange

The National Institute of Standards and Technology plans to develop security platform options to help protect healthcare information when it's exchanged.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

The new Secure Exchange of Health Information effort is the inaugural demonstration project of NIST's National Cybersecurity Center of Excellence, a private-public collaboration that will work on integrated cybersecurity tools and technologies in multiple industries.

The effort is timely because the exchange of health information is a bigger focus in Stages 2 and 3 of the HITECH Act's electronic health record incentive program, which is providing extra money to hospitals and physicians who make meaningful use of EHRs. Meanwhile, there are no official federal standards specifically addressing health information exchange. The Office of the National Coordinator for Health IT in December shelved plans to issue a regulation spelling out voluntary "rules of the road" for nationwide health information exchange. Instead, ONC announced that it would gradually issue voluntary HIE guidance (see: HIE Guidance Coming in Phases).

Commenting on ONC's HITECH Stage 3 proposed requirements, some healthcare organizations and associations, including the College of Healthcare Information Management Executives and the American Medical Association, wrote that the government needs to offer more direction on health information exchange issues, ranging from managing patient consent to sharing of sensitive health data (see: HITECH Stage 3: Concerns Raised).

Innovators Welcome

This first NIST Center of Excellence project, focused on security for healthcare information exchange, is open for participation by private- and public-sector organizations, including technology vendors, integrators, healthcare providers and academia, says Nate Lesser, deputy director of the center. Participants are invited to contribute products and/or technical expertise.

The goal of the project is to provide security platform options that enable healthcare providers, especially smaller organizations that often lack internal IT security expertise and have limited resources, to securely exchange electronic health information with others, Lesser says.

Commercial products that will be contributed by participants are "building blocks" for the security solutions that will be developed and then showcased by the center, he says. While vendors will retain the intellectual property of their commercial products used in the projects, the code, input/output specs and configurations that the NIST team and project participants develop to integrate theses products will be publicly available for free, he says.

"The idea is to integrate these building blocks of commercially available software and hardware with 'glue,' or code, developed in our labs so that when it's all linked together, it provides a higher level of security" he says.

The center envisions working on the Secure Exchange of Health Information project for one to two years, Lesser notes. The project will focus on about six methods that healthcare providers can consider to address their own security challenges, he says.

The first demonstration project will address secure communication between mobile devices and EHRs, he says.

More details about the project are available in a Federal Register notice and on NIST's website.

Multiple Threats

In its notice, NIST points out that major security concerns for secure electronic health information exchange include lack of physical security controls, as is evident by breaches that frequently involve loss or theft for mobile devices. Other threats to secure information exchange include untrusted client devices; lack of security features or circumvention of those features; the use untrusted networks, such as broadband, WiFi, WiMAX and cellular networks; and data synchronization and storage issues when systems interact.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Apple, Microsoft Issue Freak Flaw Fixes

Both Microsoft and Apple this week released patches to address the so-called "Freak" flaw in...

Latest Tweets and Mentions

ARTICLE Apple, Microsoft Issue Freak Flaw Fixes

Both Microsoft and Apple this week released patches to address the so-called "Freak" flaw in...

The ISMG Network