Database Encryption as HIE Strategy

Hartford Healthcare's Extra Security Step
Database Encryption as HIE Strategy
An integrated delivery system in Connecticut is taking the extraordinary step of encrypting its clinical databases before launching an ambitious health information exchange effort.

Hartford Healthcare, owner of Hartford Hospital and numerous other facilities, sees its internal HIE effort as the way to become a "truly integrated" delivery system, says John DeStefano, director of software development and integration. By using the enterprisewide network, slated to go live this fall, Hartford Healthcare will be able to improve care coordination, he says. For example, in the early stages, hospitals will use the HIE to transmit discharge summaries to primary care physicians, providing prompt access to complete details about a hospital stay.

The HIE will use the federated model, in which patient information will reside within each facility's own databases, rather than a central repository. HIE users will then make queries to retrieve data from the appropriate database.

Encryption as Additional Precaution

Encrypting each database, DeStefano says, is an "additional precaution" to help prevent data breaches and comply with HIPAA and the HITECH Act, as well as state regulations. "It's not absolutely necessary, but it alleviates issues if we ever did get hacked," he explains. "And if a disk got compromised somehow, we wouldn't have to disclose the breach because the data was encrypted."

Hartford Healthcare will use encryption technology from Gazzang. In tests, the encryption had no impact on the speed of accessing data, DeStefano says.

Because a breach "potentially could cost us millions of dollars," the extra encryption investment seemed worthwhile, he adds, declining to reveal the cost of the encryption software.

The delivery system also will encrypt all messages traversing its HIE, which will use the organization's internal network backbone.

Open Source Approach

To help hold down the cost of building its HIE, Hartford Healthcare is relying on open source software from Misys Open Source Solutions. The provider organization worked with Misys to build some proprietary components, including a portal for viewing information. DeStefano contends that most of the commercially available HIE applications are relatively untested in large deployments.

Hartford Healthcare recently participated in an HIE pilot project for the state's Department of Social Services, which served as a test bed for a potential statewide model. In the test, which connected five unrelated sites, participants used the open source software and encrypted their databases, DeStefano says.

Once Hartford Healthcare's internal HIE project goes live, participants will use role-based authentication, relying on user name and password. But the delivery system may eventually migrate to digital certificates or another advanced form of authentication, DeStefano says.

To get patients' permission to exchange their records, Hartford Healthcare will require patients to formally opt in, or enroll, in the internal HIE, he adds. Many HIEs use the opt-out model, where patients' data is automatically eligible for exchange unless patients choose to opt out. But the delivery system, based on advice from its attorneys, chose the opt-in model as the best approach to help ensure privacy, DeStefano says.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.