Welcome to the fourth instalment in our blog series, “Enterprise Integration: Considerations for Healthcare Organizations”. Previously in the series, we discussed the need for a high-performance integration engine, one with the ability to process very high message volumes and to do so with reasonable hardware requirements. We also explored the costly risks that organizations face without the implementation of a highly available integration engine. This week, we turn our attention to the topic of security, in particular, we will focus on the protection of health information.
Protecting Health Information
When we talk about the privacy and security of protected health information (PHI), the first word, or in this case acronym, that comes to mind is, HIPAA. Of course, there are state privacy laws that healthcare organizations must familiarize themselves with, but for the focus of this post we will use HIPAA as our main reference.
The Healthcare Insurance Portability and Accountability Act (HIPAA) was originally created to ensure workers could carry forward insurance and healthcare rights between jobs. It expanded over the years to include the governance of healthcare insurance fraud, tax provisions for medical savings accounts, and coverage for workers with pre-existing conditions. Today, it is primarily concerned with the privacy and security of patient health information.
The Role of The Integration Engine
The HIPAA Security Rule establishes the standards to safeguard and protect electronic protected health information (ePHI) when it is at rest and in transit. There are three parts to the HIPAA Security Rule: technical safeguards, physical safeguards, and administrative safeguards. Clearly an integration engine doesn’t apply to the entirety of the security rule but as the application responsible for transferring the ePHI between systems, it can help to strengthen an organization’s data security procedures.
As mentioned above, healthcare organizations are responsible for safeguarding and protecting ePHI when it is at rest (when it is stored within a device, system or application) and while it is in transit (as data is transferred between systems or applications).
Protecting Data at Rest
At a high level, data encryption involves the scrambling of data in such a way that it renders the data indecipherable and requires a security key to convert the data back into its original form. Essentially, it makes data look like noise. As such, one of the most important steps that healthcare organizations can take is to ensure all of the data processed by their integration engine resides on encrypted storage.
Protecting Data in Transit
In addition to protecting data while at rest, organizations should also be aware of how to protect data while it is in transit. Transferring ePHI over a network – say, a lab sending patient results back to the referring physician – is an example of data in transit. To protect data in transit, healthcare providers and vendors need to make sure that the lines of communication are secure between the two parties exchanging electronic health information. To create a secure network for exchanging data, organizations should always remember to use HTTPS and secure LLP, ideally through secure VPNs.
Authorization: Controlling Employee Access to Data
Along with protecting data while at rest and in transit, it is also important that organizations control who has access to that data. This is why it is crucial that your integration engine of choice has the necessary user permission and roles that allow you to control exactly how much access each of your employees has to data. The key point is to give your employees just enough access to perform their job. Simply put, there is no need to give all of your employees administrative privileges if they do not require administrative privileges to do their job.
Millions of Mission Critical Messages Flow Through Iguana Every Year
Let’s take a look at how healthcare organizations are using Iguana to process information that is valuable, sensitive, and crucial to business operations:
- Healthcare providers from around the globe use Iguana to move millions of HL7 messages containing patient demographic information from central EMR systems downstream to ancillary systems.
- Vendors of all sizes trust Iguana to quickly and securely integrate with provider systems to make their solutions more effective and to improve workflows for their customers.
- A large number of labs and diagnostic imaging centers depend on Iguana to process millions of orders and results every year.
- In addition to patient health information, Iguana is used by organizations to transfer sensitive financial and administrative data between systems.
If you want to learn more about how Iguana can help your organization easily and securely connect any healthcare system, or if you want to chat with about anything else integration related, contact us today.
Next up in our “Enterprise Integration Considerations” blog series: Multiple Data FormatsEnterprise Integration Series