Originally published July 12th, 2019 by Matt Ferrari, Co-Founder & Former CTO , ClearDATAat Forbes.com
Let’s talk about Health Level Seven, more commonly known as HL7. If you’re a health care provider or developer, you’ve more than likely heard about the main body of standards that creates health care interoperability. Consider when a physician requests information about a patient. Using HL7 standards, the system can transfer multiple documents across multiple health care applications to fulfill the request. Theoretically, this ability to exchange information and move data should minimize geographically isolated medical care, develop cost-effective solutions, enable medical device innovation and, ultimately, make caring for patients safer.
Over many years, there have been several versions and developments of HL7, including FHIR, or fast health interoperability resources, which is focused on getting closer to an interoperable health care system. With each evolved framework has come new technology and new players who’ve embraced the standards to further the potential in health care data, lower costs and deliver better care. Just in the last year, we saw tech giants like Apple, Google, Microsoft, IBM, Salesforce and Amazon further adopt FHIR into their health tech strategies. Now developers can configure health care data easily on the cloud of their choice (backed by HIPAA) and patients can download their data directly onto their iPhones from health care organizations. Sounds great, right?
It certainly would be a milestone to celebrate if it wasn’t for the one single commonality discovered in almost all versions of HL7: security issues. There is no built-in encryption or message verification, though there are multiple third-party organizations that offer integrations. Moreover, it requires no primary authentication method, and many of the security controls are debatable.
From the start, HL7 was arguably built insecurely, making it unsuitable for the public cloud by itself. This poses a major threat to hospitals and patients by making personal and sensitive patient information susceptible to cyber attacks, data privacy breaches, or worse, harm to patients.
Researchers from the University of California recently conducted a simulation of an HL7 cyber attack, and the findings were alarming. Several encryption and authentication vulnerabilities were exploited, and the simulated attacker had the ability to modify multiple lab results to read from “normal” to “severely ill.” This could lead to patient misdiagnosis or prescription of unnecessary medications, making the safety of HL7 data an utmost priority. As HIT Infrastructure noted, the researchers pointed to HL7 as part of a “more fundamental problem in contemporary health care IT; the protocol’s prevalence demonstrates the flawed, legacy-device foundations of the current patient care environment.”
To alleviate the possibility of cyber attacks and data security breaches using HL7 standards — whether 1X or FHIR — health care organizations should first be focused on protecting their data and their environments.
Shield Your Data With A Virtual Private Network (VPN)
Data protection is imperative, specifically being able to de-identify or anonymize the patient records on demand, being able to delete identifying factors such as name and social security number, and replacing identifiable data with an artificial identifier or pseudonyms. In order to protect the entire network, instead of just a single application, many institutions are using SSL VPNs and similar solutions, which allow them to create a secure connection and protect their data from public connections.
The great news is that many cloud platforms such as Amazon, Google and Microsoft already offer a built-in VPN as part of their services. The challenge, however, is with the protection of the data before it reaches the point of encryption, creating extra steps to further security protocols such as VPN tunnels that slow down a potential cyber attack.
Safeguard Your Environment With Advanced Technology
For any system that has access to HL7 data, I recommend implementing a strictly enforced password policy, including multi-factor authentication, so that data is safeguarded around the environment, as well as adopting advanced third-party technologies. These third-party technologies focus on direct secure messaging, which is a typical way in which health information is exchanged over the internet. This process is reminiscent of email, but the messages are encrypted and authenticated to make sure only authorized parties can send and receive data.
By implementing additional layers of protection, users can transform HL7 from an unauthenticated, unvalidated and plaintext transmission of sensitive data across networks to a secure, compliant and protected network. Whether exchanging, integrating, sharing or retrieving electronic health information, HL7 and FHIR technology represent a major opportunity to accelerate health care data interoperability across a wide range of currently disparate systems, increase patient access and use health information to improve outcomes. It just needs to be done securely.