Securing the Digital World

New Healthcare Legislation: Striking a Balance Between Privacy and Convenience

May 03, 2020 | by Angel Grant, CISSP |

On March 9, the U.S., Department of Health and Human Services (HHS) published guidance for the new 21st Century Cures Act. The goal of the Act is to provide patients secure access to their health data and allow for open exchange of electronic health information (EHI) through third-party applications.

The initial deadline set by the Office of the National Coordinator for Health IT (ONC) and Centers for Medicare & Medicaid Services (CMS) recently changed due to the enormous IT, security and resource strain the current crisis is having on the healthcare industry.

The disruption has accelerated the need for better healthcare information sharing and interoperability within the current infrastructure. However, with this approach will come new risks and new business resiliency challenges. Organizations will require more Federal guidance in the months ahead.

The Cures Act is intended to improve accessibility and interoperability. It empowers patients to have control over their health data, access to their health information and the ability to share their information when they desire. The goal is similar to what is taking place in the banking industry with the introduction of the Payment Services Directive (PSD2) and the open banking API economy in the Europe Union.

In the case of the Cures Act, it is focused on health and saving lives, not money. If implemented properly, we will see improved interoperability with several third-party platforms many use to track their health information today. It could also expedite the accuracy of healthcare treatments, allowing providers to focus on effectively treating patients instead of trying to connect the dots on medical history during an emergency.

That said, there is a big difference between aggregating financial information and personal health information. If done incorrectly or accessed maliciously, the consequences are far-reaching. You can cancel your credit cards if compromised; you cannot create a new health profile.

Sharing of information creates new points of vulnerability for cybercriminals to target. Today, a batch of highly-detailed healthcare data on the Dark Web is priced between $100 – $500, finds the RSA FraudAction team. Compare that to stolen bank account credentials that range in price from $3 – 24. The reason health records sell for more is because they have a longer shelf life. Therefore, privacy and security risks must be thought of from the start.

With the introduction of the Cure Act, many third parties will have access to healthcare information that is not currently regulated by the Health Insurance Portability and Accountability Act (HIPAA). This could increase the scope of regulation and confuse who is responsible for it at each stage of transmission.

If consumers are being asked to understand and be responsible for the intricacies of their healthcare information when they share it with third parties, then the communication of how, when and where the information is shared and for what purpose will be critical.

There are many passionate perspectives on the risks and benefits associated with these new guidelines. Kevin Haynes, Chief Privacy Officer, Nemours Children’s Health System says, "HHS has taken a purposeful, pragmatic approach to standardize access to health information. In my opinion, the new interoperability and patient access rules are an improvement to efficiently share information. As with any new rules there are going to be growing pains, but I haven’t seen anything in the rule (so far) that will keep me up at night. In the end, the patient will be in control of their information. HIPAA and State laws and regulations will still provide the foundation for privacy and security requirements. It will ultimately be up to the health systems to ensure information is being shared responsibly."

Timing is everything. Introducing these new requirements amid a disruption amplifies the need to help simplify security, privacy and compliance demands. Developing new organizational policies and risk mitigation practices to keep pace with this change and ensure future business resiliency will be important.

We will all learn a lot from today’s disruption and I hope it will help positively and productively move this important conversation forward.