Seeking Secure Health Information Exchange - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Security & Privacy
10:25 AM
Paul Cerrato
Paul Cerrato
Connect Directly

Seeking Secure Health Information Exchange

The New York eHealth Collaborative is among several forward thinking organizations that are helping make HIEs private and secure.

In healthcare IT security, there are lots of villains to contend with, but the heroes also deserve attention. The New York eHealth Collaborative (NYeC) is among several that come to mind.

NYeC’s stated goal is simple enough: Improve the healthcare of all New Yorkers through the creation of the statewide health information network for New York, an endeavor they call SHIN-NY. In reviewing the numerous data breaches that have plagued US hospitals and practices, one of the missteps that surfaces over and over among offending providers is the unwillingness to do a detailed risk assessment before their records were breached. NYeC is at the forefront, doing their best to break this irresponsible mindset.

When ONC released a HIT security risk assessment questionnaire in 2011, for instance, NYeC was quick to outline the nuts and bolts to help providers get up to speed. Similarly it has published a variety of tools and resources to help members meet the Meaningful Use requirements on security.

"A large number of very reputable shops are out there that will do a risk assessment if you don’t have the in-house talent," said David Whitlinger, executive director at NYeC during a recent phone interview. I would highly encourage organizations to hire a third party. Those types of organizations have been trained for years in other industries." These specialists will check to see if your laptops are encrypted down to the hard drive level, determine the risks incurred if patient data is allowed on individual devices, review the advantages and disadvantages of storing patient data in a cloud service, and evaluate staff training and readiness in terms of proper password protection and the like.

Equally important, says Whitlinger, is having a C-suite that fully supports IT security as a top priority. "In the most successful organizations, the CEO completely embeds protection of patient data within the culture."

Despite such precautions, some security experts maintain that data breaches are not a matter of if but when. Whitlinger contends that’s old thinking. "While breaches were more commonplace three to five years ago, they are becoming less and less common," because of the institution of security best-practices. "To a large degree, most people’s health information isn’t interesting to someone for financial gain," he added. "There’s not a strong motivation to steal that data for that purpose."


Electronic protected health information can bring a profit of $50 per record, which is much more than what hackers can gain from selling individual pieces of information like SS numbers ($3), birth dates ($3), or credit card numbers ($1.50) , according to a 2011 panel held at the Digital Health Conference. In 2012, the Ponemon Institute reported that 91% of small medical practices in North America had suffered a data breach in the previous 12 months. The same report said only about a third of the management teams in these organizations considered security and privacy a top priority.

While these statistics are disturbing, they don’t detract from one of Whitlinger’s main points, which is that "the benefits of health information exchange far outweigh the risk." Of course, the public has always had a hard time dealing with relative risks and benefits, and continues to be probability illiterate. That being the case, it’s unlikely any provider organization will have the courage to tell patients: Your records are relatively safe, but that’s the reality. HIEs, EMRs, and other healthcare databases are never going to be 100% theft-proof -- any more than your home security system or your credit card information is going to be. The sooner we understand that as a nation, the sooner we’ll see robust health data exchange.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
12/4/2013 | 10:56:10 AM
How Safe?
Your healthcare records and information being "relatively" safe is a bit like your being relatively pregnant. Especially when it comes to protecting health information, providers and exchanges need to go all-in on security.
User Rank: Author
12/4/2013 | 10:52:16 AM
Value of Health Data
I think your point that value of health data, on the open market, fetches far more than personal financial data, trumps whatever notion we may have about what criminals find of interest.  If it pays better, more criminals will go after it.  That's why we must healthcare data not only more secure, but more costly for criminals to exploit.  That may push their focus elsewhere, rather than reducing criminal activity, but the stakes in healthcare are so huge, we need every innovation we can get, including the one mentioned here.
The State of Chatbots: Pandemic Edition
Jessica Davis, Senior Editor, Enterprise Apps,  9/10/2020
Deloitte on Cloud, the Edge, and Enterprise Expectations
Joao-Pierre S. Ruth, Senior Writer,  9/14/2020
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll