Exchanging patient data securely takes planning and effort.

Tod Ferran, CISSP, QSA
By: Tod Ferran
I don’t envy the healthcare industry. On one hand, Meaningful Use wants providers to increase the flow of records and on the other, HIPAA wants them to decrease compromise. That’s a lot to have on your plate.

The quick, easy, and digital exchange of patient data has rocketed the healthcare industry light-years into the future. Health Information Exchanges (HIEs), for example, allow healthcare providers within a geographic area to contribute and access electronic patient data, usually to and from a centrally managed data repository.

I’m sure you can see how this would increase quality through all stages of the healthcare process. Now, all providers are linked together and can see, share, and provide additional data to a patient’s clinical context, potentially improving the timeliness and accuracy of care decisions and avoiding duplicate procedures.

BUT, exchanging patient data in a secure fashion is more difficult than it seems.

Perhaps that is why The Ponemon Institute reported that 72% of providers aren’t confident in the security and privacy of patient data shared via HIEs.


HIE member security

Let’s discuss HIE members. HIEs can connect tens of thousands of healthcare providers. But if HIE members do not have secure controls in place and one is breached, the HIE connection between all providers could potentially become a path to your patient data.

Data exchange also has legal liabilities as well. If an HIE member is breached, they can be brought to court by fellow HIE members in a civil lawsuit.

SEE ALSO: The #1 Way to Help Your HIPAA Audits Go Faster

Some HIEs work hard to reinforce their systems against hackers, apply security best practices, and encourage each member’s individual data protections. Here’s a great example of one of them.

The Utah Health Information Network (UHIN) wanted to go further than just passing their OCR pilot audit with flying colors. To do that, they needed to get their members on board. They created a customized, already-paid-for member program that includes security consulting, a self-assessed risk analysis, external network vulnerability scans, and a breach protection checklist.
They also do a wonderful job of evaluating the clinical data being viewed, and who is viewing the data, to catch abnormal behavior (such as an attacker attempting to gain access) and block the activity.

This is a great example of an HIE protecting and bringing their members to the next level of security. Now….what’s your HIE doing?

Our advice for HIE members

At the speed the healthcare industry is going, data exchange will continue to outpace security.
But for those who truly wish to avoid a devastating data breach, ensure your HIE partner has the expertise, resources, and implemented safeguards to secure your patient data, no matter who it is exchanged with.

If you’re not sure what your HIE should be doing, have a look at ONC’s health IT security resources. They discuss security from the standpoint of an EHR user, but some of the same best practices should be followed by HIEs – such as encrypting all data maintained by the HIE, safeguarding its computer network with a firewall, and protecting its employee workstations with passwords and anti-virus software.


Find out what your HIE is doing for security. Challenge them on it. If you’re not satisfied, it’s time to go shopping.

Did this post help you? If so, please share!

Tod Ferran (CISSP, QSA) is a Mensa aficionado, Cancun expert, and Security Analyst for SecurityMetrics with over 25 years of IT security experience. In addition to his many speaking engagements and webinars, he provides security consulting, risk analysis assistance, risk management plan support, and performs security, HIPAA, and PCI compliance audits. Connect with him for recommendations on excellent places to stay, activities, and restaurants in Cancun, or check out his other blog posts here.

0 comments