Seeking Secure Health Information Exchange - InformationWeek
Healthcare // Security & Privacy
10:25 AM
Paul Cerrato
Paul Cerrato
Connect Directly
Ransomware: Latest Developments & How to Defend Against Them
Nov 01, 2017
Ransomware is one of the fastest growing types of malware, and new breeds that escalate quickly ar ...Read More>>

Seeking Secure Health Information Exchange

The New York eHealth Collaborative is among several forward thinking organizations that are helping make HIEs private and secure.

In healthcare IT security, there are lots of villains to contend with, but the heroes also deserve attention. The New York eHealth Collaborative (NYeC) is among several that come to mind.

NYeC’s stated goal is simple enough: Improve the healthcare of all New Yorkers through the creation of the statewide health information network for New York, an endeavor they call SHIN-NY. In reviewing the numerous data breaches that have plagued US hospitals and practices, one of the missteps that surfaces over and over among offending providers is the unwillingness to do a detailed risk assessment before their records were breached. NYeC is at the forefront, doing their best to break this irresponsible mindset.

When ONC released a HIT security risk assessment questionnaire in 2011, for instance, NYeC was quick to outline the nuts and bolts to help providers get up to speed. Similarly it has published a variety of tools and resources to help members meet the Meaningful Use requirements on security.

"A large number of very reputable shops are out there that will do a risk assessment if you don’t have the in-house talent," said David Whitlinger, executive director at NYeC during a recent phone interview. I would highly encourage organizations to hire a third party. Those types of organizations have been trained for years in other industries." These specialists will check to see if your laptops are encrypted down to the hard drive level, determine the risks incurred if patient data is allowed on individual devices, review the advantages and disadvantages of storing patient data in a cloud service, and evaluate staff training and readiness in terms of proper password protection and the like.

Equally important, says Whitlinger, is having a C-suite that fully supports IT security as a top priority. "In the most successful organizations, the CEO completely embeds protection of patient data within the culture."

Despite such precautions, some security experts maintain that data breaches are not a matter of if but when. Whitlinger contends that’s old thinking. "While breaches were more commonplace three to five years ago, they are becoming less and less common," because of the institution of security best-practices. "To a large degree, most people’s health information isn’t interesting to someone for financial gain," he added. "There’s not a strong motivation to steal that data for that purpose."


Electronic protected health information can bring a profit of $50 per record, which is much more than what hackers can gain from selling individual pieces of information like SS numbers ($3), birth dates ($3), or credit card numbers ($1.50) , according to a 2011 panel held at the Digital Health Conference. In 2012, the Ponemon Institute reported that 91% of small medical practices in North America had suffered a data breach in the previous 12 months. The same report said only about a third of the management teams in these organizations considered security and privacy a top priority.

While these statistics are disturbing, they don’t detract from one of Whitlinger’s main points, which is that "the benefits of health information exchange far outweigh the risk." Of course, the public has always had a hard time dealing with relative risks and benefits, and continues to be probability illiterate. That being the case, it’s unlikely any provider organization will have the courage to tell patients: Your records are relatively safe, but that’s the reality. HIEs, EMRs, and other healthcare databases are never going to be 100% theft-proof -- any more than your home security system or your credit card information is going to be. The sooner we understand that as a nation, the sooner we’ll see robust health data exchange.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
12/4/2013 | 10:56:10 AM
How Safe?
Your healthcare records and information being "relatively" safe is a bit like your being relatively pregnant. Especially when it comes to protecting health information, providers and exchanges need to go all-in on security.
User Rank: Author
12/4/2013 | 10:52:16 AM
Value of Health Data
I think your point that value of health data, on the open market, fetches far more than personal financial data, trumps whatever notion we may have about what criminals find of interest.  If it pays better, more criminals will go after it.  That's why we must healthcare data not only more secure, but more costly for criminals to exploit.  That may push their focus elsewhere, rather than reducing criminal activity, but the stakes in healthcare are so huge, we need every innovation we can get, including the one mentioned here.
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll