Security of healthcare IT systems is universally recognized as critical. In many ways, the security employed in this industry mirrors standard security provided to other industries, and many solutions are available in the market for handling various aspects of security. The key consideration for healthcare IT security in the current climate is the focus on interoperability and sharing information. The posture of sharing as a first principle, rather than leading with prevention of access, figures into technical architecture design, such as fail-safe vs. fail-open decisions. A myriad of approaches are available to handle various security concerns, such as identity proofing, certificate management, access control, auditing, authentication, integrity, etc. Given the heavy emphasis on system integration, care must be taken to ensure that security architectures are compatible across the entire network for widespread data sharing to become possible.
When evaluating a healthcare IT solution, you need to consider several litmus indicators before concluding that your security infrastructure supports your broader healthcare workflow and goals, as well as protects data and technical assets. The following table lists some of these important considerations.
|
Litmus Indicator |
Description |
|
Message-Level Security |
The vision for healthcare IT interoperability tends to be on a broad scale, hence Federal projects like the Nationwide Healthcare Information Network. This has led many to move toward a data transport approach that uses the public internet as a medium, and favors message-level security techniques (e.g. certificates, credential exchanges, etc.) for federated security management. This is different than man business-to-business security architectures that tend to rely on virtual private networks, or private network connections, which do not scale as well. |
|
Workflow Compatibility |
Some security policies require various actions by users that are sometimes difficult to gain widespread acceptance on (user digital certificates, frequent password changes, one-time password tokens, etc.). You must evaluate the workflow impact of any security decisions. |
|
HIPAA Security Rule and NIST Security Guidelines |
Federal guidelines for security controls are popular to cite as standards for implementation. In particular, the HIPAA security rule should be an automatic guideline that your vendor or contractor can demonstrate compliance with. NIST is becoming an increasingly important entity in healthcare IT, so specific attention is warranted to determine an IT solution’s characterization under their published guidelines |
|
Delegated Administration |
Many networks for healthcare information exchange are envisioned to be federated with so-called “chains of trust” that allow for delegation of local administration and security management to happen locally instead of centrally. Operational requirements and local security policies should be compared to the larger security paradigm of the selected healthcare IT solution. |
GSI Health Can Help You! GSI Health has extensive experience in testing healthcare IT systems, and focuses on data-driven testing for understandable and thorough test batteries. Our consultants can assist you in navigating the issues discussed in this paper, and provide the professional IV&V services you need to properly test your healthcare IT applications and architecture. Our testing methods account for adherence to national standards, and are extensible to accommodate local requirements. To learn more about how GSI Health can help make you successful in deploying a strong quality assurance program as a part of your healthcare IT project, please contact us by phone at 1-888-206-4237 or email HITvision@gsihealth.com.