Database Encryption as HIE StrategyHartford Healthcare's Extra Security Step
Hartford Healthcare, owner of Hartford Hospital and numerous other facilities, sees its internal HIE effort as the way to become a "truly integrated" delivery system, says John DeStefano, director of software development and integration. By using the enterprisewide network, slated to go live this fall, Hartford Healthcare will be able to improve care coordination, he says. For example, in the early stages, hospitals will use the HIE to transmit discharge summaries to primary care physicians, providing prompt access to complete details about a hospital stay.
The HIE will use the federated model, in which patient information will reside within each facility's own databases, rather than a central repository. HIE users will then make queries to retrieve data from the appropriate database.
Encryption as Additional PrecautionEncrypting each database, DeStefano says, is an "additional precaution" to help prevent data breaches and comply with HIPAA and the HITECH Act, as well as state regulations. "It's not absolutely necessary, but it alleviates issues if we ever did get hacked," he explains. "And if a disk got compromised somehow, we wouldn't have to disclose the breach because the data was encrypted."
Hartford Healthcare will use encryption technology from Gazzang. In tests, the encryption had no impact on the speed of accessing data, DeStefano says.
Because a breach "potentially could cost us millions of dollars," the extra encryption investment seemed worthwhile, he adds, declining to reveal the cost of the encryption software.
The delivery system also will encrypt all messages traversing its HIE, which will use the organization's internal network backbone.
Open Source ApproachTo help hold down the cost of building its HIE, Hartford Healthcare is relying on open source software from Misys Open Source Solutions. The provider organization worked with Misys to build some proprietary components, including a portal for viewing information. DeStefano contends that most of the commercially available HIE applications are relatively untested in large deployments.
Hartford Healthcare recently participated in an HIE pilot project for the state's Department of Social Services, which served as a test bed for a potential statewide model. In the test, which connected five unrelated sites, participants used the open source software and encrypted their databases, DeStefano says.
Once Hartford Healthcare's internal HIE project goes live, participants will use role-based authentication, relying on user name and password. But the delivery system may eventually migrate to digital certificates or another advanced form of authentication, DeStefano says.
To get patients' permission to exchange their records, Hartford Healthcare will require patients to formally opt in, or enroll, in the internal HIE, he adds. Many HIEs use the opt-out model, where patients' data is automatically eligible for exchange unless patients choose to opt out. But the delivery system, based on advice from its attorneys, chose the opt-in model as the best approach to help ensure privacy, DeStefano says.