An Inside Look at Health Information Exchange Security & Privacy

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

In this episode of CyberPHIx, we take an inside look at Health Information Exchange security and privacy issues.

Health Information Exchanges (HIEs) play a critical role in improving the continuity of patient care across healthcare entities and geographies. HIEs often operate behind the scenes to coordinate the secure sharing of information across healthcare entities.

Organizations considering using or interfacing with a HIE will benefit from this podcast discussion about security and privacy trends with Nick VanDuyne, Executive Director at NY Care Information Gateway and Brian Selfridge, Meditology Partner.

Listen as Nick provides an insider view of risk management security issues and approaches including:

  • Key questions to ask when evaluating HIE or Regional Health Information Organizations (RHIOs). Specifically, how to evaluate the security and privacy controls of the entity.
  • Challenges faced by the “big data” aspect of an HIE or RHIO. How do you reconcile the security and privacy expectations of a wide range of disparate stakeholders that share and use health data (hospitals, state agencies, and others)?
  • The use of security certifications to provide demonstrable assurance of security controls to members and business partners.
  • An insider view of the inherent security strengths or vulnerabilities of healthcare data communication protocols like HL7, DICOM and newer HIE-specific protocols such as DIRECT.
  • Opinions about emerging technologies and security considerations for the next wave of innovations poised to hit the healthcare market.


Brian Selfridge: [00:00:09] Welcome to CyberPHIx, the audio resource for information security, privacy and governance, specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we will be bringing you pertinent information from thought leaders and healthcare information, security, and privacy. In this episode, we'll be speaking with Nick VanDuyne, who is the executive director at New York Care Information Gateway, which is a regional health information organization, Health Information Exchange, which we sometimes refer to as HIEs throughout the conversation here. We're excited to speak with Nick today about security challenges specific to HIEs as well as securing emerging technologies and communication protocols for the healthcare space. We would like to hear from you as well, so if you have a specific topic or thought leader that you would like to hear from, just drop us a note at [email protected]. That's [email protected]. Now, let's get to our interview. 

Brian Selfridge: [00:01:07] I would like to welcome my guest, Nick VanDuyne, who is the executive director at New York Care Information Gateway. New York Care Information Gateway is a regional health information gateway or RHIO that is working to improve healthcare for all New Yorkers through health information technology. To achieve this goal, the organization has partnered with the New York State Department of Health to create an electronic health record network to provide access to patient information in the state of New York. We're excited to speak with Nick today about the ways in which health information is being shared across healthcare entities and geographies to improve the continuity of care for patients, while still protecting the privacy and security of their sensitive information. No easy task there for sure. Nick, thank you so much for taking the time to join us here on the CyberPHIx. 

Nick VanDuyne: [00:01:51] Thanks for having us, Brian. We're welcome to be here. 

Brian Selfridge: [00:01:54] All right. So, Nick, tell me a little bit about health information exchanges. Why are they different than, let's say, health systems, other healthcare entities, payers? I know you've worked for a variety of all of the above. Are there any specific challenges about HIEs or RHIOs or health information exchanges from a security standpoint that might be different from other health system payers, other healthcare entities that our audience may be more familiar with potentially? 

Nick VanDuyne: [00:02:22] Well, I think there is. First, let me start with the difference between an HIE and a payer health system. Right. So the data will prove out that no health system has all the information it needs, and therefore it needs to have some level of interoperability amongst its competitors or co- providers within the infrastructure, within a state or across state lines and communications with payers for continuity of care and care plans and care management. So a health information exchange really becomes a necessary piece of the puzzle, whether you look at that from a statewide level or a national level. And the challenges that really come along with it are just the myriad of interfaces and data exchanges that it brings in. When you consider an organization such as ours, we're directly connected to well over 200 facilities, and we have to be cognizant of our responsibilities to maintain their security and at the same time, be cognizant of the fact that we're only as secure as the weakest link that we're connected to. So it does put a couple of extra layers of concern on you and other things that you need to look at. And it really puts us in a position of having to be keenly aware of not only our security, but the security of everyone we're connected to, both as a provider of data and as a consumer of data.

Brian Selfridge: [00:04:02] I have to imagine there is quite a bit of aggregation of data with the health information exchange that may be above and beyond. A health system may have their primary electronic health record, maybe they do some analytics, maybe some other things, but, the very nature of a health exchange where as you said, you've got those dozens to hundreds of inputs in some cases of data that's coming in. Are there any challenges that get introduced from a security or maybe even a privacy standpoint to just having that volume of data that you that needs to come through the network or be stored or transmitted in and out? And how do you tackle just making sure that you're able to track all the ins and outs of where that data is going? 

Nick VanDuyne: [00:04:44] That's a really good question. So, you know, New York is one of the few states that requires informed consent in order for someone to have the ability to view your data. And that goes along with the concept of also big data and big data reporting. So from a privacy perspective, it's extremely important for us to manage that patient facility relationship to ensure that we're giving people the information that they need, but only if there is an active consent relationship with the patient. So that plays into both our ability to provide data to them on a one time, one off basis, and also in terms of providing big data to our clients who are trying to potentially meet value based payment or are looking to do other types of scoring. And we just recently had a fairly successful project that we ran with one of our district partners here in New York. We actually had to pull the data on nineteen thousand patients and then filter it out, give them back the specific data set they wanted. And conceptually it's like, oh, it's not a big deal. But then you get to this point of, well, I have to look at these nineteen thousand patients first, make sure that I have the appropriate level of consent in order to provide that data back to the provider who's looking for it. So it adds a layer of complexity to how you manage big data. And to me, that's a really important piece, because when we talk about ownership of data, think if you're in HIE, we've never felt that we were data owners, we are data stewards and that data really belongs to the organizations that have contributed it and to the patient. So from a privacy perspective, ensuring that you're really managing that consent, then that relationship between the individual person and the individual facilities is a big deal. And then again, in terms of security, we've got so much data moving in and out. You get to be very, very adept at understanding your interfaces and ensuring access control this or are managed to the level where you're actually not only got an ACL to an IP, but you've got an ACL to an IP into a specific port number, and you're managing white listing for specific programs that are allowed to push data in and or push data out. I think it becomes far more comprehensive and time consuming on the edge than I think a lot of other organizations don't have that level of responsibility at the edge. 

Brian Selfridge: [00:07:40] I'm curious about consent a little bit. So I remember a long time ago, actually probably over a decade ago. I shouldn't date us too well. We worked on some of the early days of consent models for HIEs, and at the time, there weren't that many patients that were opting out or declining consent to participate in HIEs. Do you see that trend still playing out? Do many folks opt-out of this stuff and decline consent and decline to participate? Or are most patients seeing the value of in participating in HIEs or RHIOs generally? 

Nick VanDuyne: [00:08:12] So we see very few that actually opt out. What we do see is a concern for patients in terms of providing general access. So in New York, you have a couple of different models, right? So you can provide access to the provider. You can deny access to the provider, or you can provide access in what's called an emergency-only scenario. We do see those who are more conservative in the idea of sharing their data will go for the emergency only. We've had very few folks that say, I don't want anyone to see my data. I think there's really an ongoing educational process that has to happen. We generally, I think as humans, we hear people say, well, someone's going to be able to see your information and you're like, oh, wait a minute, I'm not so sure I want that to happen. But when you explain to them that this is on a relationship basis for the betterment of your care, and it's with a specific group of doctors within a covered entity that are caring for you, and even within that covered entity, the provider who's looking at the data has to have a treatment relationship with you. People become more comfortable with that. And we found that in educating them that the consent doesn't become such a big deal. I mean, you'll always have those that say no, and I think that that's a good thing because we facilitate that option and we allow that to happen. But I think also that the education has allowed people to see that this is in their best benefit and that there is a level of trust and security there. 

Brian Selfridge: [00:09:58] How about the monitoring of the access that data, given that it's supposed to be restricted to just those care providers and I'm sure it is, but having worked in the field long enough, there's always somebody that looks up a record that shouldn't. Do you find that you have to do a ton of monitoring, access monitoring log data reviews to make sure that the records are being looked at by the right folks? How do you handle just keeping an eye on making sure that that access are limited to the minimum necessary folks that need to get to it? 

Nick VanDuyne: [00:10:31] So we're very big on compliance. We take a really strong stand in our audit. So we audit at random, we'll audit users, we'll audit facilities, we'll audit our emergency only what's called break the glass to see who broke the glass, why they broke the glass. And we do all this auditing on a routine basis continually. We have a whole compliance group that does it. And then we also do consent audits to make sure that the consents we're receiving from our participants are actually valid. They can show us the paperwork. We've gotten to the point in order to make that compliance easier, we actually do electronic consent now where the patient can actually sign on a signature pad or on a tablet, and we'll capture the consent form with their signature, and we'll actually store a copy of that, making our compliance even better in that respect.  

Nick VanDuyne: [00:11:32] Maintaining audits is as mundane as it sounds. And as unglamorous as it is, is really an important part of making sure that you've established good trust with both your clients and with the community at large. Again, because if we don't really have that level of trust, and people can't feel that they're being taken care of, that their data is being taken care of, then we sort of lose the whole premise of what we do, right. Because everything is based on respect and trust, and we have to make sure that we maintain that. So we take it very seriously. We probably over audit to be honest, but in our sense, we feel that does us better service than not.  

Brian Selfridge: [00:12:20] Trust is always, always a difficult thing to maintain over time, especially with all the different stakeholders that you have in the mix. I would imagine between participating health systems, state agencies, payers, others, I'm not sure who's all connected into the mix. But how do you maintain that level of trust and reconcile potentially all the disparate expectations around security controls and privacy controls and policies against all of those disparate stakeholder groups that share and consume the health data? Is is it a herding cats kind of thing? How do you make sure everybody's comfortable with the way that you're operating and that it's up to the level that they would expect or alignment with their own programs? 

Nick VanDuyne: [00:13:05] Well, I think first and foremost, you know, there's always transparency. So we make our privacy and security policies and procedures available to anyone. We are more than happy to allow anyone who would like to diagnose us, if persay, to come in and we'll sit with them and we'll show them how we operate. More importantly, for that general level of trust, we're HITRUST certified, which, as you are aware in the healthcare industry, gives you a level of general reassurance that the provider or the receiver of your data is performing to a minimum standard and therefore has some level of trust. We also provide all our auditing and security at our board meetings. And those notes are then available to anyone who attends the board meeting and also available to anyone who requests them. Again, these ideas are just maintaining transparency. 

Nick VanDuyne: [00:14:08] We're also very clear in terms of when we bring someone up, we bring a new partner up, and we interface with them, we're very stringent in terms of what we look for. We have what we call an interface questionnaire. We ask specifically what we're going to get, how we're expected to get it, what they want to receive, how they expect to receive it. And we ensure that we tighten that down as much as we can. We also, in terms of transactions, make sure that we're getting the proper sample sections. We're making sure that when the sample comes across, we understand that we know who the user is and it's an authorized user. And therefore, the transaction, as it gets is logged to an authorized user, and if it's a sample, it becomes processed. Not an authorized user, obviously, the transaction will then fail. So we put in a lot of controls, we put in a lot of ideas behind transparency and the sharing of our procedures and policies so that people can see what we're doing and feel comfortable with what we're doing. They can always attend our board meetings and listen to the audits, and we present our audit information both to them and to the state, which is a mandated reporting we have to do. So it's all out there freely available. We think that by being a good citizen and saying, here's what we're doing and sort of opening the doors, we're showing them what we're doing right. And hopefully, if they have suggestions and say, hey, we would like you to do this, it'll either filter in through us or filter down through the DOH. 

Brian Selfridge: [00:15:50] I'd like to ask you a little bit more about the certification aspect, because we have a lot of prospective clients and business associates in the field that have been weighing whether to get certified or not. And the stats that we have here show still only about 25 percent of business associates and vendors and other entities servicing healthcare have a certification of some sort. And I'm wondering if you have a perspective to those folks that are sort of on the fence. Is the certification worth the, and this is not it's not a sales pitch, I know we do certifications so for anybody who thinks I have an ulterior motive for this question, I really don't, is it worthwhile? It's certainly a lot of effort to get it. Does it reduce that audit scrutiny you get from your members and your customers and your partners? Is it worth it, I guess? And truly, I know it's a heavy lift. 

Nick VanDuyne: [00:16:41] Well, I'll be quite honest. I mean, as you said, it is a heavy lift. It really is kind of an arduous task. It's going to consume a lot of time. My recommendation to anyone who's out there who's not certified or is considering getting certified, I would say just do it. And I say that truly, because it's not out there to say that you're doing things wrong and you're just all totally messed up. But it really, really is an excellent way to have another pair of eyes look at you and say, hey, you know, you're doing these things right. You're doing really, really well over here. But, you know, you've got some gaps in the way you do things over here. And it's hard to self-assess. And to me, the certification program really was a way to just have somebody else kind of come in and say, you do pretty good, but you've got some areas you need to work on. So let's identify all this and let's then put your plan of action in place. It's easy to overlook that type of stuff when you're self-assessing. And my opinion is, whether it's a HITRUST cert, a SOC 2 Type 2 cert, is having another set of eyes look at what you're doing is always beneficial, because you become I don't want to say blind to your own inefficiencies, but it's easy to overlook them or rationalize them as not a big deal. So it's really, really good in my mind that somebody else takes a look at it, and they sort of help you along the way where you're going to miss things if you're just going on without it. So if you're out there and you haven't done it, I would say just do it. And like Brian said, it is a heavy lift, but, it's a lift worth doing. 

Brian Selfridge: [00:18:39] All right, so now I will use that for sales pitches, I think. I'll just play this clip over again. Just kidding. So what do you do, Nick, if you've got different members or stakeholders that are inspecting your security and sharing information with you, what do you do if you have a disagreement on your approach to securing information or any policies you have or the way you've implemented things? Have you run into that, I guess, at all? And how do you sort of reconcile any discrepancies with, perhaps some folks that may be interpreting things either more conservatively or less conservatively than you do? Have you run into that? 

Nick VanDuyne: [00:19:17] Well, we have and honestly, for the most part, we seem to be more stringent than most of our partners, which I took as a good thing in terms of the way my PMO office really nails things down. But we have also run into where we just had folks that had policies that we had to abide by. Without naming anyone, we have a client who, even though they will transfer their data over a VPN, insists that the data itself be encrypted as it goes through the tunnel. As you're aware, VPN encrypts the tunnel and it doesn't technically encrypt the data. So their policy dictated that for them to move that data to us, the data files themselves also had to be encrypted even though they were coming through a VPN. So we accommodated that and we appreciate it. We will absolutely move to the highest level that's required by a client. Well, does that mean we're going to change all our interfaces to that? I will tell you no, because the 99.9% Of our other clients are going to say, no, we don't do that, and no, we can't implement that or it's cost prohibitive for us to implement that. So we will take it to the level our clients require., And we try to put a level of rationale across the board. But if something needs to be more stringent, we will absolutely go to that higher level. 

Brian Selfridge: [00:20:55] I'll ask you for a little bit of a thought exercise here. So a lot of our listeners are on the other side of your table, so to speak, where you're the HIE or the RHIO, you're taking the data and processing it for continuity of care. But many of our listeners may be the security folks that are part of a health system or a payer or state agency that are evaluating whether or not to connect up with HIEs and whether or not to share data and whether or not those organizations are doing those more stringent actions for protecting patient information and privacy and security as well. If you were speaking to some of those folks that are trying to evaluate HIE, what are some things that you think should be on the top of the list of the key questions you need to ask of your health exchange partners that you think may perhaps either get overlooked or maybe different than a traditional just security audit that may look at the obvious stuff, access controls, encryption. But is there anything HIE specific that you think organizations really need to pay attention to when they're partnering with an HIE or a RHIO or something similar? 

Nick VanDuyne: [00:22:03] Well, I'm not sure specific to HIEs, but it would be the same questions I would ask of anyone. So a HIE is a critical application. Right. And so my first question to the runner of the HIE would probably be the same question I would ask to the individual responsible for your EPIC or your Cernic. Your application is what are you doing to physically isolate that in an infrastructure perspective from the rest of the organization? What safeguards do you have in place that keeps that data isolated so it's less susceptible to an impact of, say, an email system breach or someone sending a malicious word document, or something like that. And these are questions that we generally ask each other in terms of larger IDNs and how they fix their data. And I think it's appropriate to ask those same questions when you talk to an HIE. What are you doing to keep my data and all this other clinical data physically isolated from other areas that are probably more prone or there's more opportunities for nefarious things to happen within? Email obviously being one of the the worst things that can happen to any organization. Right. But I think you would ask the same questions and you'd want good answers. 

Nick VanDuyne: [00:23:34] You want to know that ideally it's on a separate network and it requires additional controls to be accessed. And your email server just has no way for it to be routed to it, et cetera, et cetera. So I think those types of questions really play out, whether it's with your HIE or within your own internal organization. And you should ask them. You should challenge your HIE to ensure that they're thinking more broadly than just, hey, we got your clinical data, we really want to help you, right. I don't know if you saw the city of Albany was under ransomware. They say it affected both city facilities and potentially some of the police applications. You run into questions like that is why would the police applications be on the same network as say, city facilities or general email? I mean, you can ask all these types of questions and figure out was it a total cost of ownership versus return on investment, and people were willing to take the risk instead of mitigating the risk? So it's the tough questions to ask. But you should always ask some of your HIE, just like you should ask them of any vendor or anyone you're participating with. 

Brian Selfridge: [00:24:52] Now, a lot of these HIEs, like most new healthcare I.T. solutions hitting the market, are based on some form of cloud technology, cloud hosted infrastructure, your Asures, Office 365 are just are just taking over the world right now, which is wonderful for a lot of a lot of reasons and even for a lot of security reasons. But I'm curious if you have had to look at the security controls and approaches that you take any differently in cloud hosted environments versus traditional on prem environments for HIEs or otherwise. Are there any areas that need to be prioritized or areas that you've had to look into or that you've learned in the cloud ecosystem that you'd be willing to share with us that might be different from the traditional environments that we've dealt with in the past? 

Nick VanDuyne: [00:25:46] Yeah, I've done a lot of research into cloud. And just, full disclosure, we're not in the cloud, but we've done a lot of look work, because you're talking about potentially disaster recovery. The cloud is awesome. The cloud has a lot of, you know, from a budgetary perspective, there's a lot of things that we could talk about. I'll set that aside for right now. I think the biggest issue that you sort of run into in the cloud is understanding the whole concept of security. So right now you have 800-53, and you want to make sure that your cloud provider is FedRAMP authorized. Which than it sounds really great, but then if you if you really dig into it, you've got to look at 800-37, and you've got to look at the whole risk management structure and ensure that all of that information gets put into a contract because that's not necessarily going to be into the contract. Right. So if you look at like AWS, we can go out and there's an online artifact you can sign for BAA, you're still not really covering all those risk management pieces. 

Nick VanDuyne: [00:26:59] These cloud providersLet's be clear, they want to indemnify themselves and protect themselves as much as possible. So you have to be really clear about what goes into the contract and what they're responsible for. We've done so much research and one of the things that we have yet to be able to find right now is let's say you're on Azure and a drive goes bad. Right? And they replace that drive. That's great. We've yet to with the big three been able to determine whether or not, A, they would actually notify you the drive went bad, B, let you know that that drive was actually destroyed, and see what measures were taken to actually destroy it. So some of those sort of like media disposal issues and things as well come into play. And all of that, I believe, really has to be looked at in terms of what you're going to list in the contract and how you're going to cover all that. It's a challenge. It really is a challenge, because they do have some fabulous inherent security. The fact that you can expand and contract your infrastructure is required is an excellent piece of it. But I think what really gets lost in there is contractually what are you obligated to and how much insight do you really have into some of the sorts of deeper issues around maintaining your environment. 

Brian Selfridge: [00:28:33] I've also noticed recently that I think one area that gets overlooked is the sort of geographical location of data as well with cloud-hosted providers. We had our sister company, Corl Technologies just did a study recently and found that 12% of business associates and vendors that have cloud-hosted ecosystems are storing that data outside the continental US. And so you start looking at, you know, OK, well, where is it? And then all of a sudden you look at these new regulations like GDPR out of the European Union, where if the data is hosted over there, all of a sudden you've got this whole slew of other laws and regs that come into play. Is that something in your research that you've seen or do you even worry about things like GDPR and these other regulations that may be overseas but all of a sudden could come into scope depending on where the data goes? 

Nick VanDuyne: [00:29:24] Well, first, let me go on record saying I love GDPR. I wish the United States had its own version of it. But in terms of here in New York State, the DOH actually refuses the ability for offshoring. So whether it's offshoring my data to be stored outside the continental US or outside the 50 states, I don't really know of any data centers in Alaska and Hawaii, we're not allowed to do that. Not only can we not store our data outside of the United States, we cannot have our data accessed by anyone outside of the United States. So even some of our support contracts, which have engineers that live in Canada, those individuals cannot access our system. So we're very cautious about that. We did look at our research, we saw that you can designate or request that your data stay within a particular hosting region. So like for AWS, I think they call it EastWest, and I think the data centers are Ohio and it might be Utah. Don't quote me on that. I'm not sure, but that you can actually request which data center your data stays in. So I think, again, going back to what gets put into the contract, that's one of those items that you have to look at and be clear on. Even in terms of support, you have to make sure that if you're being supported, that you're only being supported by someone in the US. So you have to make sure that there's some type of control in place where you can either block access or by policy or contractually, the organization is only allowing people in the US to access your data. And it is a lot to think about. It really is, and it becomes extremely difficult when you talk about these basically large spider webs of infrastructure that are out there in the cloud. 

Brian Selfridge: [00:31:38] I'd like to switch gears a little bit with you, Nick, and nerd out a little bit on the technical aspect of things. So my apologies to many listeners that don't enjoy too much of the technical talk. We'll be brief, don't worry. So I want to talk about healthcare protocols and standards, particularly we used to deal with, and we still do, the predominant healthcare data protocols around HL7 or DICOM Imaging as being sort of the standard way of pushing healthcare data around from system to system. And then, those standards have evolved a bit. We now have newer standards for HIEs and RHIOs and other functions like direct messaging and others. And I know you've been deep in all of this. Do any of these protocols from a security standpoint, if there's security officers out there, should we be keeping our eye on the ball with respect to new protocols that are coming out? Any of these protocols better or worse, are the old ones better or worse? Are the new ones better or worse from a security standpoint, from what you can see out there? 

Nick VanDuyne: [00:32:40] Well, I would say to the best of my knowledge, no one is ever embedded a virus or malware into an HL7 message. So love HL7, still love HL7. I'm willing to bet the farm that it's around for at least another 10 years. So it's a great protocol. It's hardy. It does what it's supposed to do. And that one, I think is great. It will be around forever. And really, I'm not too worried about that one. DICOM, again, been around for a long time, but, in and of itself, once you get past the depth, the DICOM header, and everything, in there is still a JPEG, and someone could nefariously embed something in the JPEG. You should be aware of that, like who you're communicating DICOM images with, and make sure that you understand as you're going through these teleradiology systems, and we're sending data back and forth, whether it's teleradiology, teleneurology, telecardiology, what are the security structures on the other side? Because, again, not that I'm aware that anyone has actually embedded a virus inside of a DICOM image, but because at the heart, there is an underlying JPEG in there. It's potentially possible. Direct, I'm not crazy about. Particularly for those who use direct messaging, email, and attachment, so you've basically taking the whole concept of here's an email, here's an attachment, and we've taken everything that goes woefully wrong with general email, and we've added it into the healthcare environment. Now, quote un quote, everyone has to be Direct Trust certified, you have to have a certificate, et cetera, et cetera. But that still doesn't stop the fact that someone could, if they chose to, put an attachment with malware into a direct message and send it off to somebody. My personal belief is if you're going to use Direct, you should be XDR to your HISP. This way, you know it's only an XML document coming in. You don't have to worry about any EXE embedded in there. And if it is, it would crash your XML parser on the way in. So I think there are steps you can take. Again, not crazy about Direct. Never been a direct fan. Sure, some folks out there probably do not like me right now, but what can I say? 

Brian Selfridge: [00:35:12] Somebody's got to go on record. You bring up an interesting point about the DICOM stuff, too. So we do a lot of penetration testing, ethical hacking-type stuff. And I've been amazed at how much misunderstanding there is of how much is embedded in DICOM images. So, for instance, I found CDs laying around in open patient care areas with hundreds and thousands of DICOM images on them and another sort of file shares in places where they're just laying around. If, you know, right-click or open a dot com image in a dot com reader, there's often the Social Security number or the patient diagnosis. There's the payer information. It's like everything's in that image for care purposes. But I don't think that's always quite understood. It's like, well, it's just a picture of a femur or something like that. It's got everything in there.  

Nick VanDuyne: [00:36:04] It's got Brian's name, address, date of birth. Right. And the fact that it's his left femur, not the right. 

Brian Selfridge: [00:36:10] That's right. Well, as long as they're not working on the wrong one, that's what's most important, of course. I always joke in healthcare, we're in risk management, and security room risk management, but the real risk management is don't cut the wrong leg off or something like that. 

Nick VanDuyne: [00:36:25] That's true.  

Brian Selfridge: [00:36:27] So, do you know if there's any new standards coming down the works as we've now, and I apologize for maligning direct on this, I'm sure there's all of benefits, we'll get over it. But is there anything else coming down the pipeline that you've seen that might be sort of the next wave to watch out for on the standard side of things? 

Nick VanDuyne: [00:36:48] Well, I mean there's RSNA, the radiology group has been putting a big push on XDSI, which is their Image Share initiative. So it takes the IHE profiles, and it extends them out to image sharing. Yeah, I think there is a lot of value there in terms of folks don't have to worry about do I need twenty five different viewers? Do I have to have access to twenty five different radiology centers? And I think that's really going to be a big one. I mean because imaging really, people don't realize how much of healthcare is done in imaging these days. Right. And we talk about radiology, we talk about imaging, but it's really radiology, it's cardiology, it's neurology, it's OBGYN, and on and on and on. Right. So even now, your ECGs can be embedded in a DICOM wrapper and sent off for someone else to view. So there's just so much, and I think XDSI is really something we need to keep an eye on. I think that it's really going to come down the pike, and it'll have the same concerns that we have with DICOM images, but it also takes in some of those IET profile concerns we have to have. And, I think it's really important. One of the things that I find interesting is PCI DSS is really said like TLS 1.0 shouldn't be used anymore. I want to say, I think they put the deadline on it June or July of last year. Again, don't quote me on the date, but TLS 1.0 is actually something that's still fairly frequently used within the healthcare industry. And we were a little bit behind, I think. I see PCI DSS as sort of a benchmark. And if they say it's time to go, then we should all be saying it's time to go. So that's a bit of a concern for all of our secure Web services transactions. 

Nick VanDuyne: [00:38:48] Fire, we all talk about Fire. I think Fire has a place. I think the unique thing about Fire is it really requires a good data repository and then the ability to make sure that you're building everything, not only Fire capable, but that you're following OWASP Web security development protocols. And you take caution to make sure that everything works properly. But again, that's Single-Use stuff. I'm really excited. I think there's some work going on now in terms of sort of batch movement of data with Fire. I think that's really going to be incredibly useful when you're looking at making multiple connections and you're trying to do value based payments or hedis measures, and you're trying to pull together a bunch of data from a bunch of different places. And instead of trying to pull back one hundred thousand CDAs, you're just pulling back a hundred thousand snippets of information. So I think there's some big use there. Again, it's all Web services, so we're always inclined to have all the issues there are with Web services, and we really need to kind of pay attention to that. One of the things I found a little interesting in terms of healthcare is a lot of people in healthcare when you talk about OWASP and don't even know what it is, so in terms of building secure Web programs and sort of having a framework to do that on. I found it interesting that it's something it's not a common conversation piece in the healthcare development industry. 

Brian Selfridge: [00:40:28] Well, while we were talking about the future here and what's coming down the line, some of us are relatively fresh off of the obligatory annual HIMSS conferences where we've got fifty thousand vendors with all kinds of new products and technologies and solving every problem that we could possibly ever imagine with technology. And it's a very exciting place to be but a bit overwhelming, perhaps. What do you have your eye on some of the emerging technologies in the healthcare I.T. space generally that you think are really going to be potential game-changers going forward? And that could be for HIEs or maybe just more broadly. Does anything get you excited and wow you out there that's hitting the market? 

Nick VanDuyne: [00:41:10] Oh, yeah. I think there are really sort of two areas to me that is incredibly interesting. One is patient engagement in the home. And I'm not talking about just the Web portal. I'm talking about you've got the chronic comorbid, you've now got the ability to get their height, weight, blood glucose, pulse ox, spirometry reading, blood pressure all at home, all from calibrated equipment that allows you to manage chronic comorbidity at home and sort of averting the ED visit by putting in the appropriate amount of artificial intelligence to say, hey, you know, these parameters have now put this patient at risk. So I think that's huge. Right. I think the companies that are on the cutting edge of that and really putting together not only the data consumption but the risk management structure around it, I think they're the ones that are going to win the day in five years from now. Those will be the companies that everybody will be going to, wow, look at those guys. They're amazing. 

Nick VanDuyne: [00:42:19] The other piece that I think is really interesting is the folks who are building out these sort of untethered patient portals. So there are folks out there who are saying, hey, you know what, we're going to be a patient portal, but we're not going to be tied to a particular hospital or a particular system. We're going to build in all the profiles and protocols. So we're going to identity proof you, and we're going to allow you to figure out how to join, get connected to, we'll figure out how to get connected to your facilities based on the information you gave us. And then you're able to then begin to pull all your data back into the system, look at it yourself, share the indirect or some other mechanism with a new provider, allow proxy view for your daughter or your son if you're elderly and you're looking to make sure that someone's got medical proxy for you. 

Nick VanDuyne: [00:43:19] I mean, I think these are the things that are really happening. And I think this is really the amazing part of health I.T. that's incredibly, incredibly exciting. But then I think we're also going to see a lot of issues because on the other side, you are going to end up at some point in the hospital. We're going to have all this, what I believe is personalized medicine that's going to come out based on DNA and understanding different markers that make people susceptible to different things and also make them give you customized or personalized care plans based on your DNA structure. But now you also have all this other information that has to be protected and volumes upon volumes of it. And I think there's just so much on both ends of the spectrum that is going to happen. But I believe mostly that we're really going to see healthcare as it's begun to move away from the hospital. I believe that we're going to see that happen at an accelerated pace over the next couple of years. And we really need to be on top of how we're collecting that data at the personal level, how we're securing it and making sure that it's accurate and actionable. 

Brian Selfridge: [00:44:30] Well Nick, I wish we could continue talking on and on, and I would love to do so. But I want to be respectful of your time here. And thank you so much for taking the time to join us. It's been a real pleasure to talk with you about where we are today and where we're headed going forward. So I'd like to thank my guest, Nick VanDuyne, who is the executive director at New York Care Information Gateway. Nick, thanks again so much for joining us. This was a great conversation. 

Nick VanDuyne: [00:44:56] Thanks for having me, Brian. It was a great time. Thank you. 

Brian Selfridge: [00:45:01] Again, I would like to thank our guest, Nick VanDuyne, who is the executive director at New York Care Information Gateway. I very much appreciated Nick's insights on securing patient information across health information exchanges, as well as helping us think through some ways to secure emerging technologies and healthcare going forward. As always, we would like to have your feedback and hear from you, our listeners. Feel free to drop us a note about what topic you would like to hear about or a thought leader you'd like to hear from. Our email address is [email protected]. We look forward to having you join us for the next CyberPHIx podcast coming soon. Thanks so much.