Be it hacked pacemakers, or compromised patient records, healthcare security is a terrifying field. The Health Information Trust Alliance (HITRUST) has now established a working group dedicated to the security of health information technology (HIT), including systems and medical devices.
The goal of the program is to avoid, report and mitigate vulnerabilities; today, there is not a standard means for recognizing and sharing flaws, nor are there standard processes for eliminating or mitigating them.
Entitled the Health Information Technology and Medical Device Integrity and Security Program, the working group will be comprised of health information technology vendors, medical device manufacturers and health information systems users.
“Given the pace and complexities associated with protecting these systems, the private sector, not the government, should step up to manage this process,” said David Muntz, senior vice president and CIO at the GetWellNetwork and former principal deputy national coordinator and chief of staff at the Office of the National Coordinator (ONC), in a statement. “It needs to be practical and pragmatic, done quickly and with the flexibility required to match the rapidly evolving market,” “There is too much riding on the effectiveness and acceptance of these systems and we must ensure we maintain consumers’ confidence.”
The growing dependence upon HIT in an increasingly complex healthcare system combined with the explosion of medical data, both personal and institutional, is creating new challenges in handling health information. This growth in collected data is also mirrored by the release of data from universities, research centers and other evidence-based investigators. In response there is universal agreement among leaders across the healthcare ecosystem—patients and families, providers, payers, and vendors —that more must be done to provide efficient, safe, and secure access to information.
“Those of us who commit our careers to improving healthcare through technology share a common responsibility to the patients we care for to ensure the highest level of privacy and trust in regard to use of their data,” said Carl Dvorak, president of Epic Systems. “It is paramount that we establish industry-wide standards by which we measure our actions and our results with transparency. Epic supports high standards and full transparency to ensure that healthcare automation can be deployed in a trustworthy manner to reduce overall healthcare expenditures in our country while simultaneously improving patient outcomes and creating patient centered technologies.”
The working group will canvas the industry on existing clinical safety reporting capabilities, standards and best practices. With a specific focus on the HIT elements of healthcare, the working group will then develop a framework to help avoid, report and mitigate vulnerabilities; and identify and document security related issues, challenges and concerns beginning with ideation into the system development life cycle through implementation, maintenance, and ending with migration or system retirement.
It will also have a feedback loop, and plans to develop a means to monitor and report on progress of the program as measured by the impact on the national HIT environment and the attitudes of the public.
“Children’s Health is committed to securely connecting the patient data ‘dots’ so we may deliver clinical information to the patient’s full care team, including those outside of Children’s network,” said Pamela Arora, senior vice president and chief information officer, Children’s Health. “We must work together to attain security of this data—a more secure environment begins with vulnerability awareness. This working group will help establish standard vendor vulnerability communication steps. With this knowledge, Children’s and others can add safeguards to increase the safety of patient data and promote the flow of clinical information across the continuum of care.”
A steering committee will provide a plan outline in the next 90 days with the specific goals and a schedule for the year. The working group will complete the initial phase of the industry survey by the end of Q2 2015.
“The benefits in terms of effectiveness and efficiencies to industry from this group will be both short and long term, from better requirements and guidance to timely and consistent vulnerability reporting and disclosure, to name a few,” said Daniel Nutkis, CEO, HITRUST. “We will take into account risks and threats to industry in prioritizing the deliverables.”