Featured July 8, 2014 | healthitsecurity.com | Patrick Ouellette, HealthITSecurity.com
Seeing as how Michigan Health Information Network (MiHIN) considers itself a network of networks and doesn’t really see itself a traditional health information exchange (HIE), it follows that it would take data security quite seriously.
MiHIN Executive Director Tim Pletcher told HealthITSecurity.com that MiHIN is the single point of entry into the state of Michigan for all the data that goes into the HIEs for meaningful use, as organizations give their data to MiHIN and it gives the data to the state. Pletcher explains in this one-on-one how MiHIN views secure data exchange in the context of having multiple levels of connectivity.
How does MiHIN connect with other HIEs?
The first level is legal connectivity, which poses questions such as who’s connecting, what are they going to do and what are the rules of the road? As it relates to security, MiHIN has a two-tiered approach to legal connectivity. A lot of other HIEs have an organization sign one agreement and from there, the organization is expected to “be good.” We have that at MiHIN and call it a qualified data sharing agreement that stipulates that organization is “in the club” will be [compliant] with the data sharing agreement, a HIPAA business associate agreement (BAA) and that they’ll carry a certain amount of cyber liability insurance. For us at MiHIN, each sharing use case has its own agreement.
This is different than what you see across the rest of the country because we want to build trust in small, incremental units. Everyone who signs a qualified data sharing agreement get to join what’s called the MiHIN Advisory and Operations Counsel and within that group, there’s a privacy and security workgroup, which is co-chaired by MiHIN Chief Security Officer Brian Seggie.
How does MiHIN ensure data packets being exchanged are secure?
In terms of data security, you have to “zip it up” with policies and procedures to move it around. But generally speaking, most [security protocols] fall under the NIST 800 framework. Everything in NIST 800 is a security concern from our standpoint. We want an organization to be legally onboard before we do much work with you and the second layer of concern is the basic connectivity. We’ve set up a virtual private network (VPN) with each of those qualified organizations that essentially serves as a secure tunnel.
What other security-related projects is MiHIN working on?
Brian also leads and runs a continual threat monitoring and vulnerability/penetration testing service. He just completed a series of small Medicaid provider assessments because while meaningful use has allowed many organizations to get online and share data, some of the small-resourced Medicaid providers simply haven’t had experience with hackers trying to exploit HIE networks. Our service has been available to Medicaid eligible providers where we would do a penetration test of their systems, which we’re finding is extremely valuable. We’re looking for ways to empower and strengthen the weakest link in the ecosystem and among the targets are our new Medicaid providers.
How do you use the NIST 800 document?
There’s not a lot of ambiguity in NIST 800. The use of encryption is across the board and setting up virtual private networks makes things more secure by having secure tunnels between and among entities.
We’re security-obsessed for obvious reasons and part of the Michigan healthcare cybersecurity council, which is essentially an offshoot of the governor’s cybersecurity task force. The council is focused on implementing cybersecurity best practices.