Privacy and Security Risks and the National Health IT Infrastructure

As part of the 2009 HITECH Act, a national health information technology infrastructure (NHITI) is required for access and use of electronic health records resulting in a more “effective marketplace, greater competition... [and] increased consumer choice (HITECH Act, Section 3001(b)).” Such a system is not only necessary, but it is cardinal to improving delivery and reducing costs of health care in the United States. Properly executed, a NHITI with appropriate controls and security protocols will have the means to protect individual electronic health records (EHR), prevent provider mistakes, report errors and audit abuses of the health system.

A letter from Dr. David Blumenthal, National Coordinator for Health Information Technology, restated the requirements of the HITECH Act and the reasons for a NHITI. Blumenthal stresses the key premise of the technology infrastructure should allow information to follow patients while removing any technical, business and bureaucratic obstacles from the process of sharing an EHR. He also states that “Americans must also be assured that the most advanced technology and proven business practices will be employed to secure the privacy and security of their personal health information.”

The best process for defining the operation of a NHITI should start with a working group focused on national standards for interoperability and security of a health information exchange. Working groups should be comprised of an interdisciplinary group of industry experts tasked to create a national open protocol for the secure and private transfer of electronic health information. Ideally, such an exchange would occur over a private and secure network limited to health care providers and required users with limited and monitored access. Public access to personal healthcare records should utilize secure gateways similar to architecture utilized on Department of Defense (DoD) classified networks. It is also important to note that most security violations occur internal to an organization. Internal security, privacy and access controls may be more important to securing the national health information infrastructure although perimeter controls are by no means useless. Working groups to develop security and privacy policies for internal use of data, perimeter controls of the exchange and interoperability of data exchange should all be formed as soon as possible.

A nationwide health information data exchange will contain extremely private and personal health information. The public has no reason to fear such a data repository if proper measures are taken to manage security and privacy risks. Dr. Blumenthal emphasizes the importance of this network and the need for strong security but are we heading in the right direction to satisfy the requirements necessary?