Somewhere at the crossroads of actual information blocking (or, more likely, accidental information throttling) and use of entirely-appropriate, high security constraints, usability and data access have suffered and medical tests are being duplicated. Our health care system could simply do better and be more efficient. The government is stepping in to help: a health data security "ten commandments" are in order. My hope is that this framework will accomplish the following:
Establish data use expectations that are pervasive to any transport or query modality.
Several data exchange options exist on the market today. The advent of Application Access APIs will extend exchange by enabling patients, at scale, to access their health data, and share it with other consumers, with their providers, and of course with payers also. Covered Entities won't have time to process all the health data available to them, much less read and understand the variety of different data sharing agreements associated with each source institution or data sharing network. To address the deluge of access, I expect the common trust framework will extend to many aspects of health data sharing. Where it doesn't directly reach, it will likely guide acceptable use by setting a common bar, and these principles will be well-communicated to Covered Entities and consumers alike.
Set clear identity verification and authentication practices.
NIST 800-63-3 is a starting point for determining you have the right person to authorize to an electronic system, re-admit to that system, or reset their password. Additional standards for how in-person antecedents and Trusted Agent relationships can be invoked uniformly in a healthcare setting are less well-specified, and clarification of best practices and audit responsibilities will improve overall security and confidence in counter party identity--the identity of someone on the other side of an electronic transaction. Our phones now come equipped with a host of different password-replacement security options and additional authentication factors, but their success rates and actual security value vary. NIST and associated guidance have an opportunity to categorize these solutions, disqualifying some for use in this realm, through practice notes.
Create expectations around how to evaluate trustworthiness of counter parties.
Internet trust bundles and the trust bundles used in Direct Messaging have established track records for this. Instead of relying on a single issuer or single identity service, a marketplace of digital credentials allows for innovation and fairly-priced solutions through natural competition. Trust anchors collected into bundles of issuers who follow common practices such as validating the certificate chain and content digest provide increased confidence in transactions among participants. These and additional best practices such as following industry-established expiration and revocation checking will deter malicious actions once they are more broadly adopted in the community.
And more of the same work we've already been doing...
As we move toward more sophisticated data access and automation, the biggest problems still need to be addressed: not having access to a directory or patient locator or matching service (or universal identifier), not having the necessary authorization or software patch to perform a task, and sending or receiving a file type that the counter party's system can't use, or that it's cumbersome or expensive to use. To state the obvious, we have our work cut out for us.
My organization supports the following characteristics in a trust framework:
-Re-use of credentialing that has already occurred, such as organizational and individual identity verification, and even re-use of digital credentials such as Direct certificates, device certificates following similar issuance profiles, and accounts used for Direct transport itself, whenever possible. We have confidence that the Context Implementation Guide and Unified Data Access Profile (UDAP) will go a long way to help re-usability of existing technical infrastructure, saving time and expense.-Use technology to best scale, while also carefully securing, the chain of authorizations necessary to support consumer control over sharing of their data ("consumer-mediated exchange") and similar use cases. Our work with the Move Health Data Forward Challenge involving UMA, HEART, and OpenID created the first FHIR user interfaces for this; we also developed the software to enable the grant management called out in these profiles, and it's now a part of our HealthToGo API. This technology allows a patient to easily authorize access to their health data by an identity they use for another app, or that their authorized representatives or specialists already use elsewhere on the internet.