E-News Exclusive

EHR Integration and Security

By Mariia Kovalova

In 2021, medical organizations were one of the main targets of cybercrime. Roughly 3.5 million PHRs were compromised, and health care providers paid more security-related penalties than companies in any other industry. Interoperability was named one of the most vulnerable areas, with network and third-party applications being subjected to breaches more often than other components.

Health care interoperability, and EHR interoperability, in particular, are crucial for improving patient health outcomes and safety. That’s why EHR integration services that include thorough security checks of all health care ecosystem elements are getting more popular with health care providers.

However, many medical organizations are still reluctant to share protected health information (PHI) between their EHR and in-hospital systems, as well as other providers’ and vendors’ software. It hinders the industry’s synergy. So, what can be done to improve data exchange security, especially when it comes to EHRs?

Updating Legacy Systems and Devices
Legacy medical software and devices were designed either before sufficient security regulations in the industry or when regulatory bodies did not have enough power to enforce them. Therefore, one of the essential preparation steps before integrating an EHR into the organization’s ecosystem is software, hardware, and network security evaluation.

Although updating all of the above to fit the modern security standards may require time and resources additional to those planned for the EHR integration project, it’s highly recommended not to skip this part. Health care providers end up paying much more in case patient information gets compromised, so to future-proof a company, modernizing the entire ecosystem is a way to go.

Protecting EHRs and Connected Apps From Unauthorized Access
Very often, PHI gets leaked because of unauthorized access. While in most cases the intent is malicious, sometimes workplace negligence, inattentiveness, or disregard for security protocols compromise crucial data.

Regular staff security training may seem tiresome but could partially prevent human errors. Tried-and-true measures of protection that every medical app developer should implement are two-factor authentication and password encryption. Splitting the organization's networks into subnetworks for different user groups can also help. It will prevent unauthorized access to sensitive data circulating in the digital ecosystem.

Moreover, experts recommend limiting personal device use for remote access. On the one hand, working remotely has become one of the essential innovations that elevated the accessibility of health care for vulnerable groups of patients; on the other, it opened PHI to new threats. It’s necessary to ensure the safety of patient data without taking away the opportunity to work remotely from the doctors. For example, each personal device used to access patient details must be vetted by the IT security personnel, assessed in terms of safety, and supplemented with protective software.

Sometimes it’s necessary to go further and use advanced technologies like blockchain and AI. An example of the latter is smart user patterns monitoring when the system notifies security specialists if a user accessed the data in circumstances that do not fit the usual pattern: unusual location or time of the day.

Shielding Application Programming Interfaces
A recent experiment by security researcher Alissa Knight proved that while most EHR platforms are sufficiently secured, third-party patient data aggregators and mHealth apps, including Fast Healthcare Interoperability Resources (FHIR-based), have unacceptable flaws that allow EHR data access.

In its recent report, a mobile app security provider, Approov, urged Health and Human Services to implement a mechanism ensuring any app that connects to EHR via application programming interface (API) is assessed in terms of security before data transfer and is shielded during the data transfer. Additionally, medical applications and gadgets should be authenticated with software development kit–powered solutions utilizing a token for the API request.

Open APIs provide excellent opportunities for developers and health care organizations to come up with new services and improve the patient experience. However, strict regulations must apply. Otherwise, it opens a huge security gap.

A Final Word: The Value of Data Governance for Integration Security
No matter what tools are used to integrate EHRs with other apps and devices securely, the health care ecosystem will still be vulnerable without a solid data governance strategy. Data governance regulates how data are acquired, stored, transferred, and disposed of throughout the organization. Implementing safety measures before working out a comprehensive strategy may result in scattered attempts that do not cover the entirety of the systems and channels of data flow, protocols that are not interoperable, and confusing guidelines for personnel.

We need to improve data protection in health care. In particular, secure data transfer between EHRs and other systems. Health care organizations, regulatory institutions, and software vendors should take action together to work out a general data governance strategy and a subset of tools and best practices to protect PHI. Otherwise, patients could refuse to engage with health care providers digitally, fearing for the safety of their personal details. Such a turn of events would throw the industry back a decade and put additional pressure on medical personnel, which is the last thing anyone needs.

— Mariia Kovalova is a health care technology researcher at Itransition, a software development company headquartered in Denver. Having experience with both the health care and IT industries, she’s always looking for technologies that will help providers optimize their processes, enhance patient experiences, and build more resilience in the face of the rapidly changing world.