HHS announced on Wednesday that Joy Pritts has been named the Chief Privacy Officer for the Office of the National Coordinator for Health Information Technology. Pritts, a lawyer and Georgetown University professor specializing in health law and policy, has done research focused on privacy of health information, including issues related to patient access and consent and healthcare organizational responsibilities for protecting data contained in medical records. Her appointment to a position required to be filled by this week under a provision contained in the HITECH Act (P.L. 111-5 §3001(e)) comes at an opportune time, given the need for ONC to provide more explicit guidance on how healthcare organizations and other entities addressed in the HITECH Act can adopt appropriate practices to be able to follow fair information practices and legal obligations for personal health information. Recent discussions among members of the Health IT Policy Committee workgroups considering the new meaningful use rules, measures, and criteria have highlighted the absence of any specific criteria for privacy. This leaves healthcare organizations in essentially the same place they were before — required to comply with HIPAA Privacy Rule requirements and other relevant privacy laws, but without any new or specific obligations to ensure that patient preferences on disclosure and consent for use are captured, maintained, and honored.
Most of the major information sharing initiatives under development today are designed with integration patterns that assume that most data will be accessed from the authoritative systems or organizations where it resides, rather than copied to some sort of centralized data repository. Both federated and distributed integration models have the benefit of leaving data owners in charge of their own data and able to control (through authentication and authorization methods) what information is shared with other organizations or what requests for information receive a response. Also, without a central operational data store, there is less need to establish, manage, and oversee infrastructure and services to support information exchanges using these patterns. For this and other reasons, high-profile information sharing initiatives such as the Nationwide Health Information Network (NHIN) are working to implement appropriate technical and policy measures to ensure the security of health information exchanges between authenticated participants using the Internet, but these security measures are entirely focused on protecting confidentiality (including safeguarding privacy) and data integrity. In an operational vision where health care is supported by real-time requests for patient record data potentially stored in many disparate systems, ensuring the accuracy and completeness of the information necessitates paying attention to matters of availability as well. A lot of attention in the health IT community recently has focused on health care organizational security practices such as risk assessments — required under the HIPAA security rule and specified as a measure of “meaningful use” for health care providers seeking EHR incentives available through the provisions of the HITECH Act — and the perhaps surprising proportion of covered entities that do not conduct such assessments on a regular basis. Similarly, as the HIPAA security and privacy requirements strengthened in the HITECH Act took effect this week, many healthcare organizations remain insufficiently prepared to comply with the requirements. A recently released report from IT analyst firm Forrester Research on server availability highlights the commonplace occurrence of system outages among healthcare organizations and points to the corresponding absence of reliably high availability of these systems as a key vulnerability for successful use of health IT. It is logical bordering on obvious that any integrated system for information exchange and retrieval that accesses data from its source is only reliable if all the sources are available to respond when queried. This inherent weakness in a distributed integration model is only exacerbated in the case of health information exchange using the NHIN because the core network infrastructure is the public Internet. Forrester concludes that cost is the primary barrier to providing higher availability health IT systems, so it is further indication of the lack of attention focused on this element of the “CIA triad” that forms the core of contemporary information security that there is nothing about EHR system availability (in the sense of system uptime and accessibility) in the meaningful use measures and criteria developed for the EHR incentive program.
Responses to a simulation yesterday of a large-scale cyber attack that supposed a widespread malware infection has shut down cell phone and computer networks and disabled much of the power grid showed a lack of preparedness to handle such a major incident, as well as potential gaps in policies, legal authority, and technical skills. In the words of former CIA Director Michael Hayden, who helped devise the simulation, “It was clear we don’t have an adequate policy, expectation of privacy, public-private partnerships or understanding of international norms to deal with a massive cyber attack.” More details about the “Cyber Shock Wave” scenario and the participants in this exercise can be found at the website of the Bipartisan Policy Center, which developed and sponsored the simulation.This particular exercise was notable both for the individuals who participated and the publicity of the process, both of which increase the likelihood that current administration and military officials with actual responsibility for handling such an attack will take notice of the results.
As the Department of Defense continues its efforts to improve security provisions and practices for handling its information — especially with respect to sensitive but unclassified data — it is expanding its focus beyond its own networks and Internet connected environments to address security policies and standards for the vendors and other third parties that store or transmit military information. The specific policies and expectations for members of the “Defense Industrial Base,” as such third parties are collectively called, were publicized in Memorandum 52015.13, issued on January 29. The memo spells out specific activities and areas of policy or procedural guidance that the DoD intends to implement, and assigns oversight responsibilities for these activities to specific roles within the DoD management hierarchy. The simple intention appears to be to ensure that potential threats are not able to use the systems or infrastructure of the DoD’s information supply chain to gain access to military information.The release of the memo should put DoD vendors on notice that they may need to create, revise, or expand existing policies and capabilities to meet DoD’s expectations, and also suggests that additional guidance will be provided in terms of recommended policies, controls, or best practices that vendors and partners can put in place.
Now that the House nearly unanimously passed its Cybersecurity Enhancement Act earlier this month, some attention has turned to the plethora of similar draft legislation in the Senate with speculation over which of the bills is most likely to move forward. The apparent lack of a leader among the legislation or their sponsors prompted a comment from former administration cybersecurity adviser Melissa Hathaway that the Senate needs to consolidate some or all of the current bills into one that the Senate can get behind and take action on. Others seem to think that it’s not important which bill moves forward, as long as one of them does, because that will give the sponsors or champions of other bills the opportunity to augment or reshape or otherwise optimize any proposed bill through the amendment process. This sounds like two different ways to look at the situation that arrive at the same net conclusion, which is that as long as there are multiple competing agendas (even if they are focused on the same sorts of outcomes), there won’t be much progress.