ONC Leader: Privacy, Security Remain Top PrioritiesRucker Outlines Work Underway Despite Elimination of Chief Privacy Officer Position
Although the Office of the National Coordinator for Health IT is phasing out its chief privacy officer position, a focus on data security and privacy will continue to be interwoven into all the work the office does, especially its efforts around electronic health record interoperability, the head of the office pledged this week.
See Also: 2021: A Cybersecurity Odyssey
"Thinking about privacy and security is really throughout the agency - the standards and the policy [advisory committees] have always been working on this. It is at the heart of any form of interoperability," Donald Rucker, M.D., who heads ONC, said during a Tuesday media briefing.
Rucker was named in March to head ONC within the Department of Health and Human Services. ONC, which developed guidelines for the HITECH Act electronic health record incentive program, now focuses on advancing nationwide secure electronic exchange of health information.
Among the top priorities of the ONC leadership team under the Trump administration are efforts to help make the use of EHRs less burdensome, improve the ability to share data among EHR systems and boost patient's accessibility to their health data. A key component of these efforts, Rucker says, is use of open application programming interfaces.
"The first step of thinking about interoperability is thinking about security," he said. "When we talk about open API, this is not just opening the door and everyone can come in. These are open APIs with authorization and trust networks and encrypted passwords and things like that."
"So, there's an entire stack of privacy and security concerns that are really technical that are throughout the agency. We will absolutely continue with that," he said. That pledge comes despite the Trump administration's fiscal 2018 HHS budget proposal to eliminate ONC's office of the chief privacy officer, which was a key position during the Obama administration's two terms.
"The secretary has a lot going on in cybersecurity," Rucker said, referring to HHS Secretary Tom Price's leadership of efforts to, for example, bolster cyber threat information sharing in the healthcare sector (see HHS Cyber Info Sharing Center: Is it Needed?). Privacy and security "is implicit in every single thing that we do," Rucker said.
Among the hurdles related to improving EHR interoperability and patients' access to health data are implementing authentication and other technologies that are easy to use, yet secure, he said. For instance, authentication methods that work well for consumers in other industries might not be a great fit for the needs of healthcare users, he noted.
"It is a challenge. What is the right security model if I have an app? What is the security on your bank app?" he asked. "There are different approaches because the authentication options are different for a healthcare system than for a vendor because a healthcare system actually knows something about a patient that it can ask ... a database sort of verification. So there are [a] lot of different strategies here."
Important data security issues will be examined throughout ONC, Rucker stressed. "It's a lot more important [issue] than to leave with one person," such as an ONC chief privacy officer, he said.
With the elimination of its office of the chief privacy officer, ONC will continue to closely collaborate with its HHS sister agency - the Office for Civil Rights, which enforces HIPAA - to tackle various privacy and security issues, Rucker said.
"We're in early discussions with OCR, working with them on how to parcel out certain tasks," he said. That work includes trying to lift the "HIPAA misconceptions" healthcare providers still have, especially as it relates to "patients' electronic right to access their records," Rucker said.
"Obviously privacy and security is really embedded throughout the stuff that we do. It is a complex thing and sits in pretty much every facet of regulation writing."
21st Century Cures Act
Touching upon the theme of interoperability and secure data exchange, ONC is also charged with carrying out certain key health IT provisions of the 21st Century Cures Act, which was signed into law last year.
Those provisions include ONC convening appropriate public and private stakeholders to develop or support a framework for trust policies and practices, such as a common method for authenticating health information network participants.
To help accomplish that, ONC is hosting a series of public meetings and webinars - the first on July 24 - on trusted exchange frameworks and common agreement. Those provisions are "an integral component of the nationwide network-to-network exchange of health data and a critical part of ONC's charge to support nationwide interoperability," ONC says in a statement.
'Cat and Mouse Game'
When asked if there are ways that HHS can better incentivize healthcare organizations through regulations to bolster their cybersecurity, Rucker noted that some issues are outside the scope of regulators.
"It's worth pointing out that a lot of cybersecurity [weakness are due to] not maintaining operating systems and things that are totally out of the control of federal regulatory agencies," he said.
"They are a lot of attacks that come against these systems from directions that are not purely technical - they are social engineering attacks in large part. And there's so much complexity in all of these systems and operating systems that I think CIOs - not that they haven't been quite vigilant in general - but we all have to be hyper vigilant in maintaining up-to-date operating systems.
"It's a cat and mouse game. ONC will continue in the [EHR] certification process [with] appropriate security standards, as we have."