The Downside of Interoperability

It’s hard to argue that achieving health data interoperability is not important — but it comes with risks. And I’ve seen little discussion of the fact that interoperability may actually increase the chance that a major attack could hit a wide swath of healthcare providers. It might be extreme to suggest that we put off such efforts until we step up the industry’s security status, but the problem shouldn’t be ignored either.

Sure, data interoperability is a critical goal for healthcare providers of all stripes. While there’s room to argue about how it should be accomplished, particularly over whether providers or patients should drive health data management, there’s no question it needs to get done. There’s little doubt that most efforts to coordinate care will fall flat if providers are operating with incomplete information.

And what’s more, with the demand for interoperability baked into MACRA, we pretty much have no choice but to make it happen anyway. To my knowledge, HHS has proposed neither carrot nor stick to convince providers to come on board – nor has it defined “widespread” interoperability to my knowledge — but the agency has to achieve something by 2018, and that means change will come.

That being said, I’m struck by how little industry concern there seems to be about the extent to which interoperability can multiply the possibility of a breach occurring. Unfortunately, security is only as good is the weakest link in the chain, and data sharing increases the length of the chain exponentially. Of course, the risk varies a great deal depending on who or what the data-sharing intermediary is, but the fact remains that a connected network is a connected network.

The problem only gets worse if interoperability is achieved by integrating applications. I’m no software engineer, but I’m pretty sure that the more integrated providers’ infrastructure is, the more vulnerabilities they share. To be fair, hospitals theoretically vet their partners, but that defeats the purpose of universal data sharing, doesn’t it?

And even if every provider in the universal data sharing network practices good security hygiene, they can still get attacked. So it’s not a matter of requiring participants to comply with some network security standard, or meet some certification criteria. Given the massive incentives these have to steal health data (and lock it up with ransomware), nobody can hold out forever.

The bottom line is that I believe we should discuss the matter of security in a fully-connected health data sharing network more often.

Yes, we almost certainly need to press ahead and simply find a way to contain the risks. We simply can’t afford our fragmented healthcare system, and data interoperability offers perhaps the best possible chance of pulling it back together.

But before we plunge into the fray, it only makes sense to stop and consider all of the risks involved and how they should be addressed. After all, universal interconnection exposes a virtually infinite number of potential points of failure to cybercrooks. Let’s put some solutions on the table before it’s too late.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

4 Comments

  • I agree, but even worse is the propagation of misinformation. EHRs are rife with errors these days, and how do you go and mark a report or note on a patient that is wrong after its been sent out to the world? Countless times a day, a progress note, report, lab, etc is placed in the wrong chart and is eventually marked as an error, but if it already was blasted out to the world, how do we get the error out there?
    Even worse, is penalizing physicians for the lack of infrastructure, standards, the actual work of interop. I’m not even sure interop means the same thing to me as everyone else.
    For me, its I can view labs, notes, actual xrays of patient without having to memorize multiple logins at various facilities, having to know what exact facility produced the report or lab or xray, I want that info RIGHT in my EHR, without fuss or muss. If ONC or CMS means, I have to ask the patient what facility they went to for that procedure, then I have to be credentialled and log into that facility’s EHR, then know how to find and look up that info in their EHR, and then somehow incorporate that back into my EHR, my God, forget it. Interop is like porn to me, I know when I see it. And we are nowhere near it. Further, anyone with an ounce of database programming experience, would not have demanded nor expected any database to speak to another without primary keys for patient IDs, meaning unique ID for every patient that is like a SSN that we all have. Otherwise matching is truly a nightmare and guessing game and will, without a doubt, have huge safety and error issues. And then we are back to, how do we fix the error after we send the wrong info on the wrong patient.

  • The difficulty of achieving this, and the huge security risks are very real. But so is the need. Imagine the patient admitted to an ER with a complex condition (perhaps in the ER due to the condition, or perhaps something else happened) where properly treating the patient depends on quick access to detailed, accurate records, and where that access cannot depend on vocal, conscious cooperation from the patient. Of course, it is hard enough locally when a patient is actually ‘known’ to that ER and hospital, and where perhaps the EHR could be pointed to the patients records at other hospitals or perhaps doctor’s offices. But now imagine that the patient is on vacation 1000 miles away from home.

    There are reasons why this is so urgent, and why the US government is putting so much effort and pressure into this. But perhaps, as I’ve suggested in the past, Health IT could learn from Financial IT. Maybe, as an example, given today’s large medical practices attached to large hospital groups, a patient could be issued an (encrypted) ID card (think today’s EMV chip based bank cards) that not only identified that patient to the practices provider when the patient arrives for an appointment, but where that ID could be recognized by other systems and then pointed pack to the ‘primary’ provider system – just like a credit card charge points back to the holders bank in seconds during a store transaction.

    If the primary EHR vendors all supported such a system the way banks and other credit / debit card issuers do with stores and other places that take card payment, we might have a viable solution for many patients and hospitals. Not perfect, not complete, but a huge step forward.

    Ron

  • Security is an enormous struggle for every organization. Attacks are attempted on a practically non stop basis. I truly believe that all involved are fully aware of the potential damage that can be caused by successful information breaches, ransomware, and other types of harmful attacks.
    The author presumes the Health IT industry is not concerned “That being said, I’m struck by how little industry concern there seems to be about the extent to which interoperability can multiply the possibility of a breach occurring.” That couldn’t be further from the truth. Big Health IT companies are easy targets for authors to presume many things. What experience at Epic or Cerner for example does this author actually have regarding security surrounding interoperability security? I work at one of the big two mentioned. I am tasked with normalizing and standardizing data so that it can be interoperable, and security is a topic DAILY.
    To presume that interoperable security is not a concern is patently false. To raise concern is certainly within the bounds of reasonable. I appreciate the authors concern and applaud her for visibly raising the issue as it is worrisome for everyone, and should be forefront on the minds of everyone. To presume we (the entire Healthcare IT industry) are blindly charging forward without regard to everyone involved is insulting.

Click here to post a comment
   

Categories