The Gap in HIPAA’s Requirement for Encryption in Transit and at Rest

This post is going to get a wee bit technical so bear with me. There is a well publicized HIPAA requirement that

PHI (protected health information) must be encrypted in motion and at rest.

This requirement has been interpreted to mean that:

  • PHI transmitted over a network (or even carried via removable media) must be encrypted
  • Data on disk must be encrypted

HHS documents often refer to NIST’s Guidelines on TLS. (TLS is what has replaced SSL except in normal discussion). What the current Heartbleed problem with OpenSSL lays bare for all to see is the gaping hole in what encryption in motion can mean.

The problem is that for the most part the encryption in motion is different than the encryption at rest. Different algorithms and keys are used and different systems have responsibility for crypto. Simply put, this requires the data to be unencrypted when moving from the network to the disk.

Cloak Labs’ technology allows a message to go from one server behind a firewall to another server behind a second firewall without exposing either server to the outside world. Inbound firewall ports don’t need to be opened on either side and the data stays encrypted in webserver RAM, essentially adding an extra barrier between your sensitive data and potential attackers.

The Cloud in Healthcare – Top 10 Takeaways from iHT2 San Francisco

March 30, 2012 / CloudPrime, Healthcare / 0 Comments

In the spirit of David Letterman’s top 10 lists here are our takeaways from the San Francisco iHT2 event this past week.

  1. IHPs (large integrated health providers, like university systems, etc), are by and large going with EPIC for EHR solutions, thereby automatically forgoing a degree of flexibility and any chance of real near-term interoperability.
  2. The historical problems of security, reliability, and control with Cloud-based solutions are being rapidly overcome, and the cost savings from hosting data and applications in the Cloud are becoming so compelling that increasingly complex medical organizations and systems will require the Cloud in order to be effective and efficient…..or risk becoming extinct.
  3. The HealthCare system, as usual, is the last great industrial complex to accept collaboration and efficiencies based on advances in information technology.
  4. There has been a dramatic shift in the last two years toward the use of mobile and portable devices in all aspects of care, and this will only increase.
  5. Nobody can really define the phrase  “HIPAA compliance,” it is best approached and understood as a process, it is not just about security.
  6. 30% of the vendors sponsoring were cloud-oriented.
  7. Edge, last-mile connectivity in a HIPAA compliant fashion was a common pain point from small patient practices to large integrated health providers.
  8. Cloud-based or service platforms having the ability to be more nimble and in turn handle the growing complexity of connectivity, interfacing, and interoperability are available and should be considered.
  9. The cloud mitigates the need for traditional software upgrades and release cycles.
  10. CIO’s and CMIO’s are opting to outsource for best-of-breed services and applications.  Driven by skilled resources in healthcare IT becoming increasingly scarce and more robust SaaS/cloud-based options being available.

One Person’s Experience with Healthcare Interoperability

March 22, 2012 / CloudPrime, Healthcare / 0 Comments

…or, Who Suffers When the Dots Cannot be Connected?

I have had the unfortunate experience of having my wife of over 30 years pass away from pancreatic cancer. She lived for 18 months from her initial diagnosis. Prior to that she had been a very healthy 62 year old.  During the course of her illness, she was treated in five different hospitals, was under the care of over 40 physicians, and had numerous surgical and diagnostic procedures. One might say,  “Well, this was certainly an edge case.” But hasn’t experience shown that it is the edge cases that bring out the flaws in the system? While I participated in her long and painful journey I came to realize that in spite of all the assertions made about information exchange and interoperability in healthcare, they are almost nonexistent once you go outside the four walls of a hospital.

The fact is, unless the patient or their family takes responsibility for the information that different hospitals and doctors will require when they come on board, they will have no reasonable way to have access to that data. During my wife’s illness, on numerous occasions, I had to hand carry DVDs, CDs,  or memory sticks so that other physicians could see the results of CT scans and radiology reports. I had to manually maintain a spreadsheet of her medications since there was no centralized system that was kept up to date, even where she was being treated. Obviously, the more manual recording the greater the chance for error, not to mention lost time.

I am writing this blog as a call to action. While many are wringing their hands over healthcare costs, in my opinion IT Vendors and Hospital Administrators are doing a great disservice to patients and medical personnel by not forcing their vendors to make it a high priority to improve interoperability and information exchange. As we all know, there are a number of high level committees and organizations that are working on this problem. However their progress is slow and the need is now.

Many of them have not even thought through how the Cloud can be a game changer.

The reality is that if Apple can provide iCloud so that users can upload all their content of different types to a single user ID and then deliver it to multiple devices, it is not so far fetched that the same capability could be applied to patient records. Patients typically have single identifiers. The notion that information stored in the Cloud is neither secure nor easily accessible has been proven to be a myth.

In addition, there are companies who provide low cost HIPAA compliant secure messaging solutions that can be implemented in minutes that will securely transfer data to and from the Cloud as well as between applications hosted in the Cloud.

It is my belief that if as much attention and investment is focused on medical information exchange as has been placed on making billing systems interoperable, we will have not only improved patient care  but a more efficient use of our medical resources as well.

New Healthcare Integration Challenges for ISV’s

With new regulation comes new opportunity. New healthcare requirements around the digitization of health information has caused a wide variety of start-ups and services to surface. Innovation is great, but there are very few standards being adhered to, causing a lot of headaches for ISV’s who are working with new customers to implement their systems.

If a hospital, physician, or clinical lab would like to start using a new product or service, that application needs to be able to communicate with older systems that may not be ready for retirement. Who will be responsible for ensuring that the two systems can interface to each other? How much will this cost and what impact will it have on deployment schedules? This typically falls on the vendor and a solutions specialist needs to be brought in.

Take for example a PMS system at a physician practice that now needs to communicate with a scheduling system that resides in a data-center off-site. The physician PMS will need to exchanges HL7 SIU messages with the scheduling system securely, meeting HIPAA requirements for health information exchange.

In order for this to happen, a secure connection between the two endpoints needs to be established, application interfaces need to be built, ports to the firewall need to be opened, and eventually a mechanism for ensuring each endpoint is authenticated must be implemented (See Wikipedia Article under Security Rule). What seemed to be a simple roll-out of a new system now requires professional services, network changes, and protocol conversion if there is a different transport protocol in use.

These integrations and road blocks can increase sales cycles and implementation times, making it harder to sell while decreasing margins for the ISV. Not to mention, the burden this may place on the customer.

Once an integration occurs, it is also necessary to monitor and maintain the network, which requires IT resources that may not have previously existed or may not have the bandwidth to support an increasing number of integration points.

As part of your integration strategy, it is important to evaluate a build vs. buy strategy:

– What will be the cost impact of rolling a VPN and application interface for each endpoint?

– What will be the cost of managing and maintaining that network?

– Who will bear the cost?

– What impact will this have on implementation times and sales cycles?

– As compliance regulations change, how will this impact your solution and margins?

Healthcare interoperability is an extremely important part of HIPAA regulations and a lot of health IT professionals will be focused on it, but as an ISV, connectivity may not be a part of your core offering, making it a distraction instead of an opportunity. If the numbers do not add up, it may make sense to use an application integration service as part of your value proposition to the customer, making implementation smoother, and decreasing network costs.

Preparing for Health Application Interoperability

2011 is going to see a dramatic increase in the adoption of EHR software and digital patient information exchange will become an even greater priority in order to meet Stage 1 meaningful use requirements.

If you are an IT Manager, this looks like it will require an all hands on deck and a huge shift in how things have been run throughout your organization. Since all patient data will need to be exchanged digitally in a safe and reliable way, you will be tasked with:

  • Ensuring application interfaces can connect internally as well as make connections outbound through your firewall
  • Making sure your IT ecosystems are documented carefully to determine where the holes are in internal and outbound connectivity
  • Allocating resources for managing all new connections and configuring your firewall to accept new connections
  • Dedicating staff to managing the new network; either adding to overhead or detracting from other initiatives within the organization

Some things to think about in 2011 as you prepare to meet these new requirements are:

1. Meaningful Use Incentives: Registration for the EHR Incentive program started on January 3rd:

2. New Infrastructure: New processes will need to be learned as you begin interfacing to all the EHRs, PMS’, HIEs, Physician Groups, Clinical Labs, etc. being brought onto the network.

3. Security: All patient health information will need to be encrypted and transported securely in order to meet HIPAA compliance.

4. Training: Staff will need to be trained and allocated to manage these networks. As your network continues to grow, so will the resources required to support and manage it. Changes in your firewall will need to happen and application interfaces will need to be built.

5. Solution Providers: HISPs (Health Information Service Providers) will need to be selected. Not everything can/should be done in-house, so you will need to determine how to minimize the total impact of these new application interoperability requirements. Your EMR may already provide application interfaces, but it is possible that many of your systems do not support outbound connectivity.

2011 will bring a lot of change for the healthcare industry as a whole, and with that change, progress. Despite the huge burden these new regulations will have on IT departments large and small, the end game will produce a cohesive, secure and reliable patient information exchange that improves the quality of care for all Americans.

Health Care as the New Enterprise — Sort Of

September 14, 2010 / CloudPrime, Healthcare / 0 Comments

uss_enterprise-resized-600When most people talk about “The Enterprise”, they are referring to large corporate establishments. We all know it is a fictional craft sailing through the far reaches of space to “boldly go where no person has gone before”.

[You either hate me or love me at this point]

All kidding aside, I recently engaged in a discussion with a friend where they asked if Cloak Labs works for “The Enterprise”. I am assuming that he meant corporations in the traditional sense, and when I responded that our customers in the Health Care space are enterprise customers, he looked at me with dismay.

When most people hear “The Enterprise”, they think of supply chain management, financial transactions and CRM tools to name a few. Rarely do I hear people mention Health Care (Health Care Networks, hospitals, physician groups, clinics, state agencies, etc.) when describing who their enterprise customers are.

In large part, I think this is due to the Health Care industry historically being late adopters of technology, and thus viewed as an outsider to The Enterprise discussion. With the recent stimulus funding, passing of the HITECH Act and stricter HIPAA compliance regulations, the Health Care industry is consuming enterprise grade applications and systems on a unparalleled scale and quickly is gaining a lot of attention by business and solution providers who wish to pander their goods to anyone and everyone in Health Care.

Where there can be a parallel drawn is to the late 80s (through today), when businesses began leveraging the Internet to connect to other systems within their trading community or across their organization (think EDI, Lease Lines, VANs, MFT, etc.). The Health Care industry is being challenged by a similar problem in that they are required to connect all systems to the health information exchange to allow for secure digital transmission and ubiquitous access to electronic health records.

While many still do not think of the Health Care industry as an enterprise-class market, it is hard to ignore how much focus companies like GE, IBM, and Intuit are putting into this space, signaling that the major players of enterprise grade solutions have a different perspective on what is and is not “enterprise”.