Healthcare Information Technology

NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has issued draft mobile device security guidance to help organizations improve the security of corporately-owned personally-enabled (COPE) mobile devices and reduce the risk the devices pose to network security.

Mobile devices are now essential in modern business. They provide easy access to resources and data and allow employees to work more efficiently. Mobile devices are increasingly being used to perform everyday enterprise tasks, which means they are used to access, view, and transmit sensitive data.

The devices introduce new threats to the enterprise that do not exist for traditional IT devices such as desktop computers and mobile devices are subject to different types of attacks. A different approach is therefore required to ensure mobile devices are secured and risks are effectively managed.

Mobile devices are typically always on and always connected to the Internet and they are often used to access corporate networks remotely via untrusted networks. Malicious apps can be installed on devices that may be granted access to data. The devices are also small and portable, which increases the risk of loss or theft.

The new guidance – SP 1800-21 – explains the unique risks introduced by mobile devices and how those risks can be reduced to a low and acceptable through the use of privacy protections. By adopting a standards-based approach to mobile device security, and through the use of commercially available technology, organizations can address the privacy and security risks associated with mobile devices and greatly improve their security posture.

NCCoE created a reference architecture to illustrate how a variety of mobile security technologies can be integrated into an enterprise network along with recommended protections to implement to reduce the risk of the installation of malicious applications and personal and business data loss. The guidance also explains how to mitigate breaches when devices are compromised, lost, or stolen.

The guidance contains a series of How-to-Guides that contain step by step instructions for setup and configuration to allow security staff to quickly implement and test the new architecture in their own test environments.

NIST also included advice on reducing the cost of issuing COPE mobile devices through enterprise visibility models and suggests ways that system administrators can increase visibility into security incidents and set up automated alerts and notifications in the event that a device is compromised.

NIST is seeking comments on the new draft guidance until September 23, 2019.

The draft mobile device security guidance for COPE devices can be downloaded from NIST on this link.

The post NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices appeared first on HIPAA Journal.

How to Choose the Right Healthcare Cloud Provider

Healthcare organizations are more frequently turning to a HIPAA compliant cloud vendor or Managed Service Provider to ensure electronic patient records are secured within a robustly secure and compliant IT infrastructure. Extensive data privacy legislation was enacted in 1996 with the Health Insurance Portability and Accountability Act (HIPAA). This legally binding compliance initiative is designed to ultimately protect the patient, but this kind of legislation can often make choosing the right cloud vendor a seemingly impossible task.

Cloud Security

Certifications and Security Standards – Secure cloud vendors with HIPAA compliant hosting are one of the most important factors for healthcare organizations when making the decision to join the cloud revolution. HIPAA compliance ensures healthcare professionals that the cloud vendor provides enhanced technical solutions in-line with the administrative, physical and technical safeguards demanded by federal legislation.

These safeguards command the cloud vendor to comply with numerous regulations including:

  • Data Security – there are strict guidelines on how data is stored, transferred and removed, ensuring that data is always encrypted and always protected
  • System Security – client servers and segregated networking systems must be protected to HIPAA best practice agreements to ensure that they are only accessible by approved users
  • Structural Security – cloud data centers must be built from the ground up with stringent security protocols in place to protect the physical building and the electronic systems containing patient data
  • Maintenance – the vendor must ensure the infrastructure is always up-to-date and properly maintained, including antivirus and operating system patching

Other critical certifications to look out for include HITECH compliance and SSAE18 (SOC1 and SOC2). These standards ensure that the internal audit controls, security policies, data processing, and client confidentiality adheres to the highest standards available for a cloud vendor.

Data Governance and Compliance – There are several other critical governance and compliance processes which your shortlisted cloud vendors should adhere to:

  • Auditable – is the cloud vendor’s infrastructure auditable? Can the vendor provide an auditors risk assessment report? These audits validate the cloud vendor’s compliance and offer the client greater insight into the vendor’s capabilities
  • Business Continuity – Can the cloud vendor offer secure offsite backups and data protection technology (such as disaster recovery failover) for the hosted IT infrastructure
  • Business Associate Agreement – Healthcare compliance demands the cloud vendor must sign a Business Associate Agreement which clearly defines the rules and responsibilities of each party entering the agreement
  • Data location – It is important to know where all your data is located. Most healthcare data must stay within the United States. You need to understand the cloud provider’s data services locations. This is essential for backups and DR

Accountability and Compliance

When entering a BAA with a cloud vendor, the vendor is essentially guaranteeing you a level of service and compliance for your organization. The roles and responsibilities of the cloud vendor should be clearly defined, as well as your responsibilities as a client. The aim is to create a status quo of an agreement which is mutually beneficial to all involved.

Other areas of accountability to consider are:

  • Service Level Agreements – This is a service agreement the vendor must adhere to or risk an (often financial) penalty. Things such as Service Uptime, agreed RPO (Recovery Point Objective) and RTO (Recovery Time Objective)
  • Managed Service – The cloud vendor will need to provide a level of service management agreed in the BAA. This usually includes providing and upgrading the technology solution, keeping and maintaining procedures and processes of your technical solution. It may also include offering technical support, monitoring, and pre/post-sales support.

Technology and Services

It is important to develop an understanding of what the cloud vendor can do for your healthcare business. Does the cloud vendor offer you the services and technology that your organization can utilize? 

Healthcare is a very specific business market, it is worthwhile choosing a knowledgeable vendor with vast experience providing similar services to other healthcare professionals, using tried and tested methods of proven solutions, they must also have the ability to be forward-thinking and constantly evolving within the Healthcare marketplace, offering digital transformation services to enhance your business.

This can be done by assessing the technology and services on offer from the provider, most healthcare organizations opt for Infrastructure as a Service (IAAS) or Platform As A Service (PAAS). But, your cloud vendor can offer more services such as:

  • Managed backup service –  Compliance safeguards require a backup solution with guaranteed data protection. It is often best to leverage an existing HIPAA compliant backup service that may be offered by your cloud vendor
  • Managed Disaster Recovery solution – the ability to evoke DR services to fail over production infrastructure to a geographically disparate location are a fundamental part of healthcare compliance. Some cloud vendors can manage this in its entirety for you, failover sequence, boot sequence and testing, as well as implementing regular DR tests
  • 24x7x365 Operational Support – To ensure the manageability of your new cloud infrastructure you may at times need support directly from your cloud vendor. Having around-the-clock support can be highly advantageous
  • Managed network services – Firewalls and associated technology can be difficult to manage for many organizations. If your cloud provider offers HIPAA compliant network infrastructure you can be ensured that you will receive a durable and reliable computer network 
  • Migration Services to the cloud – Most healthcare organizations will already have a significant IT footprint, it’s important to ask what your cloud vendor can do to fast-track the migration to the cloud and also what their exit strategy is should you happen to change vendor in the future
  • Data Monitoring – Data and trend monitoring not only protects against data misuse but also offers enhanced security and system protection to healthcare clients
  • Intrusion Detection – This can be a physical or technical safeguard to protect the underlying computer hardware which provides your cloud service. If your cloud vendor offers this capability, then you can be assured your digital assets are protected to a high standard
  • Multi-factor authentication (MFA) – cloud vendors are extremely flexible with how clients access data, however, protecting this data is also important. MFA provides multiple levels of protection to sensitive data, typically by phone authorization, pin code or even fingerprint and biometric scanning
  • Encryption – Data must be encrypted at rest and in transit to AES 256bit standard

Everything Else

We have highlighted what we believe are the key elements to consider when choosing a cloud vendor. There are also many other factors which play a role in who you decide to utilize for cloud hosting.

  • Reliability – Consider the uptime guarantees of the vendor, consider the hardware and software partnerships they have in place as well as maintenance contracts
  • Performance – The cloud offering must also perform well despite all the security safeguards put in place

Scalability – Can the cloud provider grow with your business if your organization’s growth should exponentially propagate?

The post How to Choose the Right Healthcare Cloud Provider appeared first on HIPAA Journal.

Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches

Cybercriminals are managing to find and exploit vulnerabilities to gain access to healthcare networks and patient data with increasing regularity. The past two months have been the worst and second worst ever months for healthcare data breaches in terms of the number of breaches reported.

Phishing attacks on healthcare organizations have increased and email is now the most common location of breached protected health information. However, a recent analysis of the data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the past 12 months has revealed servers to be the biggest risk. Servers were found to be involved in more than half of all healthcare data breaches.

Clearwater Cyberintelligence Institute (CCI) analyzed the 90 healthcare data breaches reported to OCR in the past 12 months. Those breaches resulted in the exposure, impermissible disclosure, or theft of the records of more than 9 million individuals.

The CCI analysis revealed 54% of all reported breaches of 500 or more healthcare records were in some way related to servers.

Servers house essential programs that are used across the healthcare organization. As a central repository of programs and data, they are an attractive target for hackers. Once access has been gained, data can be viewed, copied, altered, or deleted, systems can be sabotaged, and healthcare organizations can be subjected to extortion using ransomware.

CCI performed a risk analysis to determine high and critical risks facing health systems and hospitals. CCI determined 63% of all identified risks were related to the failure to adequately address vulnerabilities in servers.

The high number of server-related data breaches clearly shows that those flaws are being exploited by hackers to gain access to healthcare networks.

According to CCI, one of the most common server vulnerabilities is the failure to keep on top of user account management. When employees leave the company their accounts must be deleted. Dormant accounts are a major risk and are often used by malicious actors to access systems and mask their activities. CCI notes the risk increases with the number of accounts that are left dormant. The longer those accounts are left open, the greater the likelihood that at least one will be used for illicit or malicious purposes.

To address this risk, security controls should be implemented that automatically disable or delete accounts when the HR department changes the status of an employee. If that is not possible, CCI recommends conducting frequent, periodic reviews to ensure all unused accounts are disabled.

In an ideal world, an account would be disabled instantly. In practice, CCI recommends having the systems, policies, and procedures in place to ensure no account remains open for more than 48 hours after it is no longer required.

Reviews of system activity logs should also be conducted to determine whether dormant accounts have been used inappropriately or if any actively used accounts have been compromised or are being misused.

Excessive permissions on user accounts is another serious server vulnerability. Excessive permissions can result in accidental or deliberate access, alteration, or deletion of data. The failure to restrict access rights is also a violation of the HIPAA principle of least privilege.

CCI reports that the risk of excessive user permissions is highest in organizations that do not regularly review user permissions (43.6%), perform user activity reviews (43.6%), or when there is a lack of proper user account management (43.1%).

Regular reviews of user activity will help healthcare organizations to quickly identify anomalies in user data that could be indicative of account misuse or a cyberattack. The frequency of those reviews should be dictated by several factors, including staff turnover and the number of users. CCI suggests user permission and user activity log reviews at least every quarter for an organization with 100 or more users.

The post Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches appeared first on HIPAA Journal.

ONC Report Reveals Trends in Access and Viewing of Medical Records Online

Most hospitals and physicians have now adopted electronic medical records, yet only half of patients have been offered access to their medical records online, according to a new report from the HHS’ Office of the National Coordinator for Health Information Technology (ONC).

Two of the aims of the 21st Century Cures Act were to make it easier for patents to access their health information and to improve education of patients about their rights to access their health data. The ONC conducted its Health Information Trends Survey (HINTS) to determine whether patients are being offered access to their medical records online and whether they have exercised that right and have viewed medical records that have been made available.

In 2018, there was no change in the number of patients being offered access to their medical records online. As was the case in 2017, 51% of patients were given that opportunity. However, the number of patients using that access to view or download their medical records increased. 30% of patients who were given the option had viewed their records at least once, compared to 27% in 2017.

Individuals who visited their doctor at least once in the past 12 months were twice as likely to be offered access to their medical records online than those who did not. They were also more than 50% more likely to exercise that right and access their medical records than patients who had not visited their doctor in the past 12 months.

Out of the patients who did view their medical records online, 29% viewed records 1 or 2 times, 19% viewed their records between 3 and 5 times, and 11% accessed their records 6 or more times. The number of patients who downloaded their medical records was a third higher than in 2017.

Individuals with chronic conditions were more likely to be offered access to their medical records online, as were individuals with at least a college degree, and individuals with a family income of $75,000 or higher.

When asked about the reasons why they chose not to view their medical records online, the findings were largely similar to 2017. The main reason was patients preferred to speak to their healthcare provider directly (73%) and patients did not have a need to view their medical records (65%).

There were two significant changes. There was a decrease in the number of individuals who said they did not access their records out of privacy and security concerns, falling from 25% in 2017 to 14% in 2018. There was also a fall from 20% to 10% in individuals who said they did not have a way of accessing the Internet.

Americans do appear to be taking a greater interest in their health. There has been an increase in the number of individuals using health and wellness apps. 49% of respondents said they used such an app on a smartphone or tablet and one third of individuals said they use an electronic monitoring device such as a Fitbit-type device, blood pressure monitoring device, or blood glucose monitor.

75% of individuals who use an app do so to track progress toward a health-related goal. 48% use the apps to make decisions about illnesses or health conditions, and 45% use the apps to discuss their health with their providers.  The number of individuals who shared health information with a healthcare professional electronically via their smartphone or tablet increased from 26% to 28%.

“Making it easier for individuals to use apps to access, view, and subsequently share their online medical record data may enable individuals to better manage their health and address gaps in interoperability,” explained ONC. ONC’s interoperability Rule, published in February, will make it even easier for patients to access and use their health data through the use of APIs.

The post ONC Report Reveals Trends in Access and Viewing of Medical Records Online appeared first on HIPAA Journal.

AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan

The American Academy of Neurology (AAN) has voiced concerns about the interoperability plans of the Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC).

In February, both ONC and CMS proposed new rules that aim to reduce information blocking and improve interoperability. The AAN supports ONC and CMS efforts to reduce information blocking and improve interoperability. Data blocking and interoperability problems force clinicians to spend more time on clerical work, which means less time is spent providing direct care to patients.

The AAN believes many of the provisions in the new rules are necessary for empowering patients and providers by providing comprehensive access to patient data; however, in a recent letter to CMS Administrator Seema Verma, the AAN has expressed concern about patient safety and security if the ONC and CMS interoperability plans are implemented.

The AAN supports efforts to advance the use of standardized Fast Healthcare Interoperability Resources (FHIR) based APIs to allow patients to easily gain access to their health data, including claims information, lab test results, medications, and clinical notes. Easy access to that information will help with care coordination and will improve patients’ understanding of their conditions and treatments. However, there are potential problems.

“Consistent policies are needed across the board to incentivize and facilitate the exchange of data across systems,” wrote AAN President Ralph L. Sacco. “Many EHRs do not support the robust use of application program interfaces (APIs) for data exchange or are hindered by APIs that are implemented in proprietary ways that inhibit data exchange.” The AAN has also voiced concerns about privacy and security.

While the AAN understands that once PHI has been shared through an API it is no longer the responsibility of the provider to protect that information, but the AAN believes a security framework is required for third-party applications to prevent unauthorized disclosures once PHI has been transmitted by providers.

There is currently no federal regulatory framework to address unauthorized disclosures of PHI onside of enforcement by the FTC. Without a regulatory framework, a burden is placed on providers to ensure that they inform patients of the potential risks, when it should be the responsibility of app developers to ensure that all necessary precautions are taken to ensure PHI is protected. The AAN is seeking clarification on the responsibilities of third-party applications to ensure patient information is protected.

Unauthorized disclosures after PHI has been transferred do not constitute HIPAA violations, but they do have potential to negatively impact a provider’s reputation. Further, explaining the risks to patients may result in patients declining to share their information, which would work counter to CMS’s goal of promoting exchange of data and could detrimentally impact providers’ relationships with their patients.

“Given the sensitive nature of PHI and the paramount importance of trust between patients and providers, the AAN implores CMS and the FTC to ensure that there are clear security guidelines for third-party APIs and that there is robust enforcement to ensure that third-party applications are responsible stewards of patient data,” wrote Sacco.

Concern has also been raised about the sharing of certain types of particularly sensitive information, such as high-risk genetic testing data. If a patient has a genetic test that indicates there is a high probability that the patient will develop an incurable degenerative disease such as Huntington’s disease, prior to that information being shared with patients and their families it is necessary to make sure appropriate counselling is provided. The AAN suggests that that type of information should not be shared through APIs.

The AAN also believes the proposed six-month implementation time scale for many of the proposed changes is much too short. Complying with the new requirements in such a short time frame will place a significant burden on providers. More time has been requested for implementing the proposed system-wide changes.

The College of Healthcare Information Management Executives (CHIME) is also urging the CMS and ONC to extend the timescale for complying with the proposed changes and has suggested an interim rule is required and the time frame for complying should be extended from six months to three years.

The post AAN Suggests Third Party App Security Framework Must be Included in the CMS Interoperability Plan appeared first on HIPAA Journal.

CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability

The second Senate HELP Committee hearing on the proposed roles for implementing the electronic medical records provisions of the 21st Century Cures Act has taken place this week.

The Committee heard from National Coordinator for Health IT, Donald Rucker, and Director and Center for Medicare And Medicaid Services Chief Medical Officer, Kate Goodrich, M.D.

The hearings aim to find a way forward to ensure the efficient accessing and sharing of health information between care providers and patients.

The prevention of information blocking is one of the main goals. By allowing health information to flow freely between providers and be shared with patients, the cost of healthcare can be significantly reduced. According to Dr. Brett James of the National Academies, as much as 50% of the costs of healthcare are unnecessary. Patients are having to repeat tests because their information cannot be shared between different healthcare providers and there is considerable duplication of administrative tasks as a result of information blocking.

Earlier this year both the CMS and ONC proposed new rules to tackle the issue of information blocking, EHR usability, and patient empowerment. Goodrich explained that consumers need to put in the driving seat and be empowered to make decisions about their own healthcare. For that to happen, patients need easy access to their healthcare data. They can then pass that information on to whoever they wish.

The CMS and ONC’s proposed rules believe this goal can be largely achieved through the use of open APIs. APIs have been used in other industry sectors and have “transformed business after business after business,” according to Rucker.

Standards-based API technology should improve the sharing of healthcare data, although Rucker cautioned that for them to work, healthcare business practices that enable information blocking must be dismantled. Rucker suggests that rules preventing information blocking need to be implemented as soon as possible.

While progress needs to be made quickly, Committee Chair Sen. Lamar Alexander, R-Tennessee warned of moving too quickly and encountering similar problems to hose with Meaningful Use. “My major concern is to remind the administration of the advice that my piano teacher used to give me before a recital… Play it a little slower than you can play it, you’re less likely to make a mistake.”

Progress is being made. The CMS has already launched two initiatives (MyHealthEData and Blue Button 2.0) which will require Medicaid fee-for-service, managed care plans, Medicare Advantage Plans and others on the Federal Exchange to maintain secure APIs that allow individuals enrolled in those plans to easily access their own health information. It is hoped that developers will follow suit and build on the work that CMS/ONC has already done in this area.

While everyone wants the goals to be achieved, there is concern that the use of APIs could introduce privacy and security risks. These concerns were shared by Rucker and Goodrich, especially with respect to disclosures of health data to apps.

While apps will undoubtedly be required to receive health data and allow patients to share their health information with others, there are serious concerns as health apps are not well regulated. While there are some FTC regulations covering health apps, they are not covered by HIPAA requirements and are unlikely to be in the future.

If information is disclosed to the apps, patient privacy could be placed in jeopardy. Patients’ health data could be used by app developers and sold on to companies such as Facebook. Patients may not be aware of the implications of what could happen if their health data is disclosed to an app.

After disclosure to an app, healthcare organizations will not be liable for that data – as confirmed by the Office for Civil Rights recently – but patients could be exploited. What happens to data after it has been disclosed to an app is down to a contractual agreement between the patient and the app developer.

The reality is the uses and disclosures of patient data are likely to be hidden in a long list of T&Cs in app privacy policies, which may not be read or understood by patients. There are also few controls over what can be done with that information and how that information is secured.

“How data is secured and used in third-party apps illustrates a pressing issue that is currently part of a national discussion that extends beyond healthcare and into data privacy, stewardship, and regulatory interventions,” said Rucker. At present, patients need to “balance their selection and use of a health app with the potential risk of having negative implications.”

What is clear is there needs to be greater regulation of health apps, especially in light of recent reports about health information being shared with Facebook without user consent.

The post CMS and ONC Tell Senate HELP Committee Rapid Progress is Required to Advance Interoperability appeared first on HIPAA Journal.

NIST Issues RFI Seeking Comments to Inform the Development of AI Standards and Tools

The National institute of Standards and Technology (NIST) has issued a request for information (RFI) seeking feedback from industry stakeholders to inform the development of new standards and tools to support systems that use artificial intelligence (AI) technologies.

February’s Executive Order on Maintaining American Leadership in Artificial Intelligence requires NIST to create a plan for developing technical standards and tools to support the creation of reliable, robust and trustworthy AI-based systems, along with tools that will are necessary or helpful in reducing barriers to the safe testing and deployment of AI-based systems.

NIST is seeking comments from stakeholders to improve its understanding of the current uses of AI, the opportunities offered by AI-based systems, and the challenges currently faced.  NIST hopes stakeholder comments will help to determine current priority areas.

The RFI has three main areas of focus:

  • The status of and plans for AI technical standards and related tools development
  • Defining and achieving U.S. leadership in AI standards
  • Prioritizing federal government engagement in AI standardization

NIST seeks information on current standards and tools along with the names of the organizations addressing the need for standards and whether they have addressed sector-specific needs or if they can be applied more broadly.

NIST is also keen to find out where U.S. companies are leading the development of standards and how federal agencies can help to meet the needs of developing standards and AI tools.

Standards-related tools can include, but are not limited to, testing tools (covering conformance, performance, interoperability, and stress testing), reference data and data sets, use cases, training programs, and reference implementations

“Sound technical standards, performance metrics and tools are needed to foster public trust and confidence in AI technologies, enabling the market adoption of the next wave of innovations that will contribute to the economic and national security of the United States,” explained NIST Director Walter G. Copan.

Comments are being sought from the private sector, academic institutions, federal agencies, nongovernmental organizations, and other stakeholders with expertise in AI and related standards to inform development of the plan.

NIST is required to develop its plan within 180 days of the executive order and will be accepting public comments up until May 31, 2019. NIST will also be hosting a workshop on May 30 at its Gaithersburg, Maryland, campus to promote further discussions in support of its plan for engagement in AI technical standards.

Further information on the RFI and the specific areas where feedback required are available here.

The post NIST Issues RFI Seeking Comments to Inform the Development of AI Standards and Tools appeared first on HIPAA Journal.

MD Anderson Cancer Center Fires Three Scientists Over Concerns About Theft of Research Data

MD Anderson Cancer Center, the world’s leading cancer research center, has recently fired three scientists with strong links to China over espionage fears after being alerted by the National institutes of Health (NiH) to irregularities involving grant recipients.

NiH, the largest public funder of biomedical research in the United States, had been instructed by federal officials to investigate certain professors who were believed to be in violation of granting agency policies.

NiH, assisted by the FBI, discovered potential conflicts of interest and unreported foreign income by five members of MD Anderson staff. NiH sent emails to MD Anderson in 2018 and demanded a response within 30 days.

The failure to take action could potentially result in NiH withholding essential funding. MD Anderson received $148 million in NiH grants in 2018.

In response to the accusations, MD Anderson conducted an investigation and initiated termination procedures for three professors, two of whom resigned from their posts before proceedings started. The fourth professor was investigated but termination was not deemed to be warranted. The investigation into the fifth professor is ongoing. Three of the professors concerned are ethnically Chinese and all are of Asian origin.

The firings were in relation to possible diversion of intellectual property, failure to disclose substantial resources from other institutions, and the sharing of confidential information on grant applications.

“We have an obligation to do all we can to protect our intellectual property and all state and federal resources entrusted to us,” said MD Anderson President Peter Pisters, MD. “We must be vigilant in protecting the outstanding work of our faculty and ensuring our continued ability to conduct world-class research in our pursuit to end cancer.”

According to the Houston Chronicle, which reported on the terminations, NiH has sent similar emails to dozens of other organizations voicing concerns about certain individuals who may have been recruited by foreign governments to steal proprietary research information. It is likely that these three actions will be the first of many over the coming weeks.

Concern has been growing recently about scientific research conducted in the United States being stolen by China and other foreign governments. The information is used to run ‘shadow laboratories’ overseas to benefit those countries.

The FBI has reported that up to $600 billion is being lost each year to intellectual property theft. FBI Director Christopher Wray said China is the biggest threat and is engaging in espionage in all 50 states across multiple industries.

The post MD Anderson Cancer Center Fires Three Scientists Over Concerns About Theft of Research Data appeared first on HIPAA Journal.

HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement

The HHS’ Office of the National Coordinator for Health IT (ONC) has released the second draft of its Trusted Exchange Framework and Common Agreement (TEFCA) and is seeking comments on the updated text.

The purpose of TEFCA is to help ensure there is seamless, interoperable exchange of health information, which is critical to the creation of a health system that empowers providers and patients and delivers better healthcare at a lower cost.

The 21st Century Cures Act promoted a national framework and common agreement for the trusted exchange of health information. The framework is required as there is currently no core exchange mechanism that can be used by healthcare providers, health plans, vendors, public health departments, and federal, state, local and tribal governments. Trusted exchange is too complex.

Currently, multiple exchange methods need to be used. The majority of hospitals use three or four exchange methods and three in ten use more than five methods. This approach is inefficient and expensive. Healthcare organizations are having to build several point-to-point interfaces to communicate health information with each other. The Trusted Exchange Framework will reduce the need for individual interfaces to be developed and maintained.

The five key goals of TEFCA are to create a single on-ramp for nationwide connectivity, to ensure electronic information is available whenever and wherever it is needed, to build a competitive market to allow all entities to compete on data services, to support nationwide scalability for network connectivity, and to achieve long-term sustainability.

In addition to helping healthcare entities efficiently exchange health information, the trusted exchange framework has important benefits for patients, including the ability to find all of their health information that has been recorded by multiple providers, even if they do not remember the names of those providers. This will help patients and their caregivers to participate more fully in their care and manage their health information.

After publishing the first draft of TEFCA, ONC received more than 200 comments from industry stakeholders. After careful consideration of the comments, ONC has made key revisions to the Trusted Exchange Framework (TEF) and the Minimum Required Terms and Conditions (MRTCs) for trusted exchange and has released the first draft of a Qualified Health Information Network (QHIN) Technical Framework.

Together, these documents form the basis of a Common Agreement for QHINs and their participants and include technical and legal requirements for the sharing of electronic health information nationwide across disparate networks.

ONC will be responsible for maintaining the TEF and the HHS is looking to appoint a non-profit industry-based organization – a Recognized Coordinating Entity (RCE) – to develop, update, implement and maintain the Common Agreement. The HHS has announced the release of a notice of funding opportunity to engage an RCE. Applications will be received up until June 17, 2019.

“We expect that the implementation of the Trusted Exchange Framework and the Common Agreement, will bring us all that much closer to achieving the administration’s goals of nationwide interoperability,” said HHS’ national coordinator for health information technology, Dr. Donald Rucker.

The HHS is seeking comments on the second draft of TEFCA until June 17, 2019.

The post HHS’ ONC Releases Second Draft of Trusted Exchange Framework and Common Agreement appeared first on HIPAA Journal.