Health Information Exchange Best Practices
The healthcare industry has been transforming in accordance with the advancement of technology and one of the primary points of concern is the safe and efficient exchange of sensitive information. Even though the concept of electronic health information exchange was introduced almost 10 years ago, there are still many issues to take care of, such as storage security or proper EHR platform installation.
In order to keep sensitive information safe and secure and optimize the processes of its exchange and storage, it is important to follow the HIE best practices that we collected in this article.
Health Information Exchange: definition and main benefits
Health Information Exchange is the process of transmitting healthcare information in electronic format (i.e. the transmission of electronic health records). The information can be shared between a healthcare organization and a patient, between two healthcare organizations, between medical specialists, etc.
The main goal of HIE is to make the process of transmitting information faster and easier. Instead of a mundane manual transmission (including filling in the record and then passing it to a recipient), HIE allows the patient’s data to be transmitted in mere seconds in a highly secure manner.
Health Information Exchange brings multiple benefits both to the medical specialists and the patients:
- Elimination of paperwork and, as a result, faster and more accurate data processing,
- Elimination of unnecessary or duplicate testing by providing all the necessary information that is kept in one place,
- Providing a complete view of a patient’s state,
- Significantly saving time on receiving critical information,
- Centralization of the patient’s health information,
- Providing immediate access to the data to the allowed parties.
Types of HIE and forms of information storage
There are several types of Health Information Exchange:
- Directed exchange: exchange of healthcare information between the medical specialists or healthcare establishments in order to enable coordinated care.
- Query-based exchange: when a medical specialist can find the information about the patient in a database or request it from other specialists or establishments (i.e. make a query).
- Consumer-mediated exchange: when a patient can access and control their information.
As well, there are also different forms of healthcare information storage: decentralized, centralized, and hybrid. Decentralized storage means that healthcare records are stored in independent repositories and thus the access to the data is strictly controlled. Centralized storage implies data collection from all HIE participants and its further storage in a single repository. Hybrid storage combines the features of both decentralized and centralized storage.
Electronic Health Records: what are they?
Before looking at the HIE best practices, it is important to discuss electronic health records first.
Electronic health records are the cornerstone of HIE. These are the patients’ records that are stored in electronic format and contain all the information about the patient, including past visits to the doctors, prescriptions, conditions, etc.
Even though there are still many healthcare facilities that have not yet switched to EHR, the majority of institutions recognized the benefits that EHR brings. However, the transition to the use of EHR also imposes certain obligations. For example, the biggest point of concern for any medical establishment that uses EHR is its compliance with HIPAA which stands for Health Insurance Portability and Accountability Act. HIPAA heavily focuses on the privacy and security of the patients’ data and the way it is stored and processes so any company that works in the healthcare industry should ensure that its services comply with HIPAA.
Considering the amount of sensitive patients’ data stored electronically, it is important to define a few practices to follow to ensure the security of information storage and transmission between the parties.
Best practices to secure the data and its transmission
HIE deals with massive amounts of sensitive patients’ data that needs to be secured. In order to do so, one needs to follow certain security practices that are aimed at protecting the data from both internal and external threats.
Protection of data in transit
When we talk about data security, there are two data states to account for: data at rest and data in transit. While data at rest includes all data storage objects, data in transit is actually the data that is being transmitted. As you might guess, the Health Information Exchange deals with data in transit a lot.
The most common and surefire recommendations on the security of data in transit include:
- Use of SSL/TLS protocols,
- Use of VPN,
- Isolation of communication channel,
- Use of ExpressRoute for moving large datasets.
Luckily, there are many available solutions like Microsoft Azure that can help secure the transmission of data between the parties.
Authentication and access roles
HIE involves a great number of people who have access to the data and the authority to manage it. Hence, another critical aspect to consider is user authentication and distribution of corresponding user roles.
In order to enhance user authentication, one should implement the following:
- Store user passwords in an encrypted format and use special tools for it (such as bcrypt),
- Mark cookies as secure to prevent cookie theft,
- Enable deletion of all cookies upon logging out,
- Enable session expiry,
- Implement one-time login links (not necessarily though),
- Limit the number of login attempts,
- Use two-factor authentication.
As for the user roles, it is a must to have different access levels for different user roles so that sensitive data will not be managed and processes by all the users who have access to HIE.
Since HIE involves many channels and recipients, it is important to have multiple APIs for seamless data processing. Therefore, developers should secure the APIs as well in order to prevent any possible intrusions.
One of the primary points of concern is the vulnerability of the APIs in the face of such external threats as injections. The most common injection threats include SQL Injection, XML Injection, RegEx Injection. Therefore, when designing an API, a developer should implement the necessary threat protection and never release a non-protected API.
Another thing that can help enhance the APIs is implementation of proper authentication. There are available mechanisms such as OAuth/OpenID Connect that, together with TLS, can help secure the APIs. As well, it is highly recommended to introduce a two-factor authentication followed by an authorization step.
Because HIE deals with sensitive data, it is also critical to encrypt the data to minimize the possibility of data theft. Some of the data encryption methods include data masking and the use of tokenization.
Finally, use the REST API for better API protection. The REST framework itself implies a set of certain guidelines that enhance security by design. In this way, you will be able to minimize the risk of such threats as DDoS attacks, for example.
Health Information Exchange is a complex process that involves many parties and massive amounts of sensitive data. In order for HIE to be beneficial both for the medical specialists and the patients, it is critical to make the data transmission process efficient and secure so it fully compensates the costs that were invested in the development of an HIE software solution
Irina LinnikView all articles by this author.