NIST Tackles Health Data ExchangeProject Aims to Help Smaller Providers With Security
The National Institute of Standards and Technology plans to develop security platform options to help protect healthcare information when it's exchanged.
The new Secure Exchange of Health Information effort is the inaugural demonstration project of NIST's National Cybersecurity Center of Excellence, a private-public collaboration that will work on integrated cybersecurity tools and technologies in multiple industries.
The effort is timely because the exchange of health information is a bigger focus in Stages 2 and 3 of the HITECH Act's electronic health record incentive program, which is providing extra money to hospitals and physicians who make meaningful use of EHRs. Meanwhile, there are no official federal standards specifically addressing health information exchange. The Office of the National Coordinator for Health IT in December shelved plans to issue a regulation spelling out voluntary "rules of the road" for nationwide health information exchange. Instead, ONC announced that it would gradually issue voluntary HIE guidance (see: HIE Guidance Coming in Phases).
Commenting on ONC's HITECH Stage 3 proposed requirements, some healthcare organizations and associations, including the College of Healthcare Information Management Executives and the American Medical Association, wrote that the government needs to offer more direction on health information exchange issues, ranging from managing patient consent to sharing of sensitive health data (see: HITECH Stage 3: Concerns Raised).
This first NIST Center of Excellence project, focused on security for healthcare information exchange, is open for participation by private- and public-sector organizations, including technology vendors, integrators, healthcare providers and academia, says Nate Lesser, deputy director of the center. Participants are invited to contribute products and/or technical expertise.
The goal of the project is to provide security platform options that enable healthcare providers, especially smaller organizations that often lack internal IT security expertise and have limited resources, to securely exchange electronic health information with others, Lesser says.
Commercial products that will be contributed by participants are "building blocks" for the security solutions that will be developed and then showcased by the center, he says. While vendors will retain the intellectual property of their commercial products used in the projects, the code, input/output specs and configurations that the NIST team and project participants develop to integrate theses products will be publicly available for free, he says.
"The idea is to integrate these building blocks of commercially available software and hardware with 'glue,' or code, developed in our labs so that when it's all linked together, it provides a higher level of security" he says.
The center envisions working on the Secure Exchange of Health Information project for one to two years, Lesser notes. The project will focus on about six methods that healthcare providers can consider to address their own security challenges, he says.
In its notice, NIST points out that major security concerns for secure electronic health information exchange include lack of physical security controls, as is evident by breaches that frequently involve loss or theft for mobile devices. Other threats to secure information exchange include untrusted client devices; lack of security features or circumvention of those features; the use untrusted networks, such as broadband, WiFi, WiMAX and cellular networks; and data synchronization and storage issues when systems interact.
Interested parties have until Feb. 21 to request a certification letter to participate. Each organization will be asked to identify which security platform components or capabilities it is offering. Product components or capabilities include one or more of the following:
- Electronic health information entry and display devices;
- Authentication and authorization mechanisms;
- Data transfer/communications components;
- Electronic health information storage and retrieval components;
- Forms generation capabilities; and
- Printer devices or interfaces.