The massive data breaches that struck CareFirst Blue Cross and Blue Shield, Anthem and Premera over the past year have sounded an alarm among healthcare IT. And with hackers eager to steal valuable patient data, it’s time the healthcare sector act more aggressively to secure private data.
Consider that, according to research from Gartner, close to 40 million healthcare records have been breached to date. That number, Gartner’s research suggests, is a conservative estimate because it takes into account only breaches of at least 500 individuals at a time.
And, the cost of a healthcare breach continues to climb, according to the Ponemon Institute, to about $363 per exposed personally identifiable record. That’s more than double the average cost of a data breach in other industries, and the trend holds across 11 industrialized nations. Our industry is a target, and we must do more now.
Securing patient data starts with encryption, but equally important is the use of strong identity authentication. Authentication guarantees that the sender and recipient of healthcare data are, in fact, who they claim to be.
To explain this, let’s imagine something as simple as a family practitioner referring a patient to a specialist. There are various formats in which data can be sent from one office to the other, and the sending and receiving providers need to both understand which are being used. The primary two ways are either sending the records via Directed Exchange, or by using the emerging FHIR, or Fast Healthcare Interoperability Resources, platform.
The benefit of Direct is that it does not matter what formats are being used. The focus is on securing the transport method, irrespective of what the message content is. Essentially it’s a secured email solution for healthcare. As with email, the sender and the receiver have a Direct Address (like an email address), which is where information is either sent from or sent to, depending which side of a transaction the account holder is performing.
Digital certificates cryptographically bound to those addresses are used along with the infrastructure of the Internet to establish a secure channel between the two accounts. This then allows any data to flow over that secure channel without revealing any of its contents except to the intended receiver, guaranteeing that contents are not modified or deleted without either party knowing.
For FHIR, the process of transferring EHRs is a little more involved, but as long as both parties know and agree on which FHIR profile is being used, securing that transaction generally happens in a consistent manner. FHIR typically relies upon TLS security — which has been used in e-commerce transactions for many years now — to identify and authorize the parties exchanging data, and to secure and protect the data as it moves from one to the other. TLS certificates cryptographically bind FHIR end points (either a service location, or an application requesting data for its user) to their respective Internet locations, allowing a secure channel to be established.
Full story and source here: Healthcareitnews.com – What goes wrong when medical records are transferred