Maintaining Data Security: Interview with Lee Barrett – Part 1
By Sarianne Gruber
Can you highlight some of the unique aspects of working with Healthcare data? What kind of data security problems do you look into when assessing a vendor for accreditation?
There are several that we focus on as far as unique aspects of healthcare data, as part of the overall accreditation model that we use. We are looking at things like how is data being used from the stand point of clinical and administrative (function). We are looking at the various connection points of the exchange of that data between the various stakeholders. The things like the authentication between the various stakeholders and trading partners is critical. We are looking at how the data, and if it is encrypted especially for clinical data. Any type of PHR (Personal Health Record) or EMR (Electronic Medical Record) type data, we want to make sure all is encrypted. We’re looking at password length. As part of accreditation model, we are looking at making sure it is complex enough. And it is comprehensive enough as far as a password to assure that the level of strength is high to mitigate some of the risk of a potential breach. We are looking the frequency of how often it is changed. As part of our model, we require organizations to change passwords every 90 days. We are looking at audit trails as to how organizations are managing and tracking when information or data is accessed, whether it is printed, whether or not it is revised, and whether or not it is viewed. We are looking at what type of audit trails they have in place so that in the the event of a breach or incident they have an audit trail of when data was in fact last touched. It’s a lot easier to determine who may have compromised the data. We are also looking at role based access. We want to make sure organizations maintain a system that determines basically “right to know”. In some cases, individuals may have viewing rights but may not be able to modify data, or individuals who should have no access to a particular records don’t.
Our process is very comprehensive as far as the all unique aspects that we are looking at, as well as the kind of security problems, so that what we are focused on is really the intent to mitigate the risk of a breach or incident. We have four different areas that are core components throughout all of our accreditation programs: security, privacy, confidentiality including some aspects of cybersecurity, and technical performance and operational aspects of the network. We look at best practices and resources that the organization has to support the services and products that are offering. And make sure that they can support those adequately, including things like customer service and customer support aspects. Those are the areas that we focus on for assessing vendors and the various networks that are a part of our 14 different accreditation programs that we have today.
Does this process also extend in to data storage like the cloud?
We do include an accreditation for a private cloud environment. A private cloud environment is one in which somebody is using a cloud but their specific data is on a specific server or platform that we can review. Our accreditation model requires us to do site reviews along with a self-assessment. So if we can’t review a particular environment or data center or environment where data is stored, than we can’t accredit it. As for the public cloud, we have work group right now that is evaluating if we can develop criteria to leverage for example some of the FedRAMP. The federal bureaucracy has a process call FedRAMP for cloud based environments. We are looking at FedRAMP. We are looking at a number of those to see, if in fact, we can also accredit a public could, but today we don’t. Today we can accredit private clouds. We take the whole aspect of how data is stored and who has access to it very seriously. We expect later this year, we will have a set of recommendations for the public cloud environment, which takes into account NIST (National Institute of Standards and Technology) requirements, the FedRAMP, federal requirements and some others as well.
The Electronic Healthcare Network Accreditation Commission (EHNAC) mission is to promote accreditation in the healthcare industry to achieve quality and trust in healthcare information exchange through the adoption and implementation of standards. EHNAC grew out of the 1993 Workgroup for Electronic Data Interchange (WEDI), which was sponsored by the Network Architecture and Accreditation Technical Advisory Group.