The Affordable Care Act (ACA), sometimes referred to as "Obamacare," was signed into law on March 23, 2010, ushering
in sweeping healthcare reform across the United States. People are becoming familiar with these changes with the rollout of the health insurance exchanges on Jan. 1, 2014. The role of healthcare data collection and exchange cannot be understated in the rollout of this new program. In fact, the ACA would not have even been possible without the existence of electronic medical records, which were mandated in the American Recovery and Reinvestment Act (ARRA) of 2009.
Many of the most popular electronic medical records systems are based on legacy technologies and lack even the most basic security capabilities.
Data from electronic medical records will not only determine how a patient is treated, but also how a healthcare provider is paid under the ACA. This reliance on data will ultimately increase the importance and challenge of implementing good information security in healthcare environments.
The legacy problem
ARRA offered incentives initially, with a warning of penalties down the road, to motivate healthcare providers to adopt electronic medical records systems (EMRs.) Software vendors sprung up overnight to take advantage of these new government subsidies. Existing healthcare software companies added some polish to existing, older code-bases and went to market. The increased focus on data requirements fueled a rapidly expanding healthcare technology marketplace, but information security was largely only viewed as an afterthought. As a result, many of the most popular electronic medical records systems are based on legacy technologies and lack even the most basic security capabilities.
The government did foresee the gold rush they were creating and specified that providers would only be reimbursed for "certified" EMRs, which would have all of the required specifications for documenting patient care and would meet existing HIPAA security requirements. The nonprofit group Certification Commission for Health Information Technology (CCHIT) took volunteers from across many different healthcare disciplines and designed a comprehensive certification program for such EMRs. I actually volunteered on the security subcommittee and worked with many skilled information security practitioners on building strong security requirements and audit protocols.
Though the CCHIT certification was thorough, it was deemed too expensive to be practical to certify all of the new EMRs hitting the market. There was a need for multiple certifying bodies and a simplified certification process to reduce costs. The requirements for application audits were eventually replaced with simple attestations. Now, the EMR vendor only has to state that it is compliant with a HIPAA specification, but doesn't need to demonstrate that compliance in an audit.
The impact of ACOs
One of the longstanding criticisms of the existing healthcare system, and therefore a focus of the ACA legislation, was the "fee for service" model used by all healthcare providers, which simply defined that the provider is paid for each service rendered to the patient. This model is used in almost every other financial transaction, but tends to impact healthcare negatively. For instance, it doesn’t actually mean that the patient is any healthier after the service is provided, and it rewards providers for performing unnecessary procedures. The designers of the ACA needed to devise a new way to incentivize providers to manage the health of a patient, while limiting redundant or unnecessary tests and procedures.
The ACA defines this new model of patient care and reimbursement as an Accountable Care Organization (ACO), which is essentially a grouping of doctors and healthcare providers intent on providing coverage to a swath of patients. ACOs are meant to incentivize healthcare providers by offering "risk-based" contracts for reimbursement. These contracts reward providers for healthier patients, and conversely penalize providers for unhealthy patients that still require more treatment. The risk for member organizations is that the penalties apply across the entire ACO, even if a specific provider never sees the patient.
The complex ACO framework is heavily based on data pertaining to the quality of care and patient outcomes, all of which is stored in the electronic medical records systems implemented under ARRA. ACOs must find ways to report these quality and outcome scores across the entire organization, which will likely require the combination of data from multiple EMRs. Such measures will be particularly problematic for the small physician practices in an ACO to implement, as such organizations largely do not have the technology expertise to accomplish this goal in a secure fashion and thus must find contracted help.
Unfortunately, the contractor's focus will likely be to get these systems implemented as quickly as possible in order to win more of these new ACO contracts, and not to build secure data exchanges. The creation of these Internet-based, real-time interfaces between EMRs, which lack even basic security capabilities, is dramatically increasing the risk of data breaches.
For those ACOs concerned with the security of these implementations, the priority should be to audit and secure existing EMR systems before creating links between them. Vulnerabilities are most likely to show up via weak authentication measures, lack of encryption for data at rest, inconsistent software patching and even the presence of unnecessarily elevated privileges. There will also be pre-existing remote connections to these EMRs that need to be considered. ACOs that take all of this into account before establishing the secure data exchange will have dramatically reduced their risks.
The role of information security in healthcare has taken on even more importance because of the Affordable Care Act. Rapidly deployed electronic medical records systems may lack basic security controls, meaning information security professionals are needed to audit these systems and remediate the resulting vulnerabilities effectively. Electronic exchanges of healthcare data that are required by ACOs must be designed and configured with a priority on information security. The ACA was written with such a focus on healthcare data, and it is safe to say that it can't functionally exist without good information security practices. I won't be surprised if some ACOs learn this lesson the hard way over the next several years.
About the author:
Joseph Granneman is SearchSecurity.com's resident expert on information security management. He has more than 20 years of technology experience, primarily focused in healthcare information technology. He is an active independent author and presenter in the healthcare information technology and information security fields. He is frequently consulted by the media and interviewed about various healthcare information technology and security topics. He has focused on compliance and information security in cloud environments for the past decade, with many different implementations in the medical and financial services industries.