Is ONC's 'Trusted Exchange Framework' Doable?CISOs, CIOs, Weigh the Pros and Cons of ONC's Security Proposals
While a draft "trusted exchange framework" unveiled last week by federal regulators includes proposed components that could raise the bar for the security of health data exchange, some experts caution that elements included in the final document should not be overly prescriptive.
The voluntary framework announced on Jan. 5 by the Department of Health and Human Services' Office of the National Coordinator for Health IT proposes some security components that are more specific than what's required by HIPAA, explaining that not all of the participants in networks that adopt the framework will necessarily be HIPAA-covered entities or business associates (see Analysis: Security Elements of 'Trusted Exchange Framework').
The draft framework's tougher security proposals include more detailed authentication and identity proofing specifications and quicker breach notification than mandated under HIPAA.
For example, the draft framework proposes setting minimum policy requirements around identity proofing and authentication levels, using the National Institute of Standards and Technology 800-63 publication," referring to NIST's digital identity guidelines.
The draft framework notes that any covered entity or business associate that's a participant in a trusted exchange must comply with all applicable breach notification requirements under HIPAA, which requires breaches affecting 500 or more individuals to be reported within 60 days of discovery.
However, the proposed framework says each participant of the exchange must notify, in writing, the health information network no later than 15 days after discovery of the breach to allow other affected parties to satisfy their reporting obligations.
Pros and Cons
Cris Ewell, CISO of University of Washington Medicine, says he's not opposed to considering a framework that could potentially help improve secure exchange of electronic health data. "But there are some concerns with the [draft's] current language in how the covered entity will comply and ensure that we can meet the participant obligations," he says. "The idea of creating an environment that exchanges healthcare information and protects the data is a good goal."
While Ewell says he's "not a fan of checklist compliance to drive the information security goals of an organization," some of the framework proposals "make sense," he adds. "For some elements, such as authentication/authorization, you do need to specify the requirements necessary to participate and ensure that we can trust the data/transaction."
He contends, however, that the 15-day breach notification requirement "can result in false notification. In a complex healthcare system, it may take longer than two weeks to complete the forensic investigation to determine unauthorized access, use or disclosure of the ePHI. As with business associate agreements [under HIPAA], before entering a shared use of data agreement, we need to determine timeframes for reporting as well as requirements for reimbursement for investigation/ notification costs related to the specific breach."
Ewell also is concerned about the draft's specifications tied to the NIST Cybersecurity Framework guidelines. "While we currently look at and integrate the NIST requirements into our information security program, developing a risk mitigation process to comply with the NIST CSF requirement is certainly a large step above the current HIPAA Security Rule requirements and require some additional review to determine the full impact," he says.
Complying with the trusted exchange framework's proposals would require some additional work for many healthcare entities. "With our current systems, we would not be able to comply with the exchange requirements without some additional investments," Ewell says. "I suspect that many other organizations and our partners will be in the same situation."
Raising the Bar?
Some security experts, however, say that raising the bar for secure health data exchange is a constructive move.
"The Trusted Exchange Framework generally represents a positive step forward for the healthcare sector toward the realization of information liquidity for patients and providers," says Jim Routh, CISO of health insurer Aetna, and a board member of the National Health Information Sharing and Analysis Center. "This is a good idea. The ONC's proposals help address the fundamental shifts in the cyber threat landscape over the past five years, combined with the acceleration of emerging technology - mobile, cloud, wearables, etc. - for both patients and providers."
But not all healthcare sector organizations are prepared to jump on the bandwagon for enhanced data exchange security.
"Enterprises with mature security programs will be more receptive than those enterprises that have limited resources available and struggle with dealing with software currency across a highly diverse technology stack and view mandated security policies as an unnecessary expense," Routh says.
"I believe that HIPAA has fundamentally changed information protection practices for healthcare largely for the better over the past 15+ years. However, we need to continue to make significant advances to meet the current and future security requirements of the sector."
For instance, Routh points to the need for all sectors, including healthcare, to raise the bar on authentication standards and practices. "One example of this is related to patient authentication that is highly dependent on the use of passwords - in all sectors - that are over time growing in obsolescence at the same rate that compromised credentials - estimated at 3 billion in 2016 alone - available to criminals are growing," he says.
While some experts say proposed security elements of the framework appear to extend beyond what's called for under HIPAA, ultimately, "the governance framework is voluntary," notes John Halamka, CIO of Beth Israel Deaconess HealthCare in Boston.
"This means that ONC is acting as a catalyst and will leave the details to the private sector. It's likely that private sector stakeholders will implement practical, available technologies that balance security and utility."
ONC is accepting public feedback on the draft framework until Feb. 18 and plans to make refinements before issuing a final version later this year.
Kathryn Marchesini, who was named new ONC chief privacy officer on Wednesday, acknowledges that the framework is aiming to address security and privacy issues involving entities that access or exchange health data - but are not covered by the HIPAA rules.
"From my perspective, the real crux of the issue when you're dealing with entities covered by HIPAA, or not, is is there a way to build a safety net," she says. "We've heard a need for an equal playing field," Marchesini told reporters during a press briefing on Wednesday.
If certain security proposals end up being included in ONC's final trusted exchange framework, the impact could be mixed, some security experts contend.
"Anytime regulations drive security practices, there has been and will be a combination of results that are positive in certain situations and limited or negative in other situations," Routh says. "An example of this is legislative initiatives at the state and local level calling for data at rest encryption standards. Encrypting data at rest in a data center offers limited risk protection with a substantially high cost of implementation. An example of a better use of resources is the improvement in privileged user management."
Ewell adds: "We have seen in the past that compliance with regulations is not enough to prevent unauthorized access. As with all information security requirements, there needs to be a balance with the usability of the systems and the security of the data. Technology or requirements to implement technology or practice sets alone will not solve the problem of unauthorized access, use or disclosure of ePHI.
"Understanding the specific threats and implementing reasonable controls that mitigate these risks for each CE is what we strive to do and is the basis for the HIPAA Security Rule that gives the flexibility to the CE based on the risks."
Answering Congressional Call
In releasing the framework, ONC is taking steps in answering a call by Congress for increased health IT interoperability and health data exchange as laid out in the 21st Century Cures Act that was signed into law in 2016.
That legislation is aimed at accelerating medical innovation, including easing the exchange of data among various health information networks to support timely, appropriate treatment decisions.