What is TEFCA? Explaining New Cybersecurity Mandates for Health Data Exchange
Published On October 24, 2022
TEFCA stands for the Trusted Exchange Framework and Common Agreement. It is a US federal government initiative from ONC designed to establish a secure standard model for healthcare entities to exchange health information across the country.
Prior to TEFCA, individual healthcare providers and Health Information Exchanges (HIEs) needed to partner with one another to establish the infrastructure for exchanging health data including legal, compliance, security, privacy, technical, procedural, and other factors.
The final version of TEFCA, published in 2022, provides a single set of rules of the road and an “on-ramp” to federal health data exchange. Healthcare organizations that wish to join the party must apply to become a Qualified Health Information Network (QHIN) and adhere to certain requirements including cybersecurity provisions.
This blog explores the cybersecurity requirements necessary for healthcare organizations to become a QHIN and plug into the national network of health information exchange facilitated by ONC’s TEFCA program.
Note: There are many other health data exchange requirements in TEFCA that are outside the scope of cybersecurity and this blog post. You can read up on the full set of TEFCA requirements in publications from ONC and the private organization coordinating the effort via the Sequoia Project.
What are the Cybersecurity Requirements for TEFCA?
Of the two documents, the Common Agreement includes the most relevant cybersecurity mandates. ONC’s partner organization, the Sequoia Project, also published a Standard Operating Procedure (SOP) document that provides additional detail and guidance for TEFCA cybersecurity mandates.
The core provisions for the CA and SOP include the following criteria:
1. Third-Party Certification – Organizations must “achieve and maintain third-party certification to an industry-recognized cybersecurity framework”. HITRUST, specifically the HITRUST r2 certification, has been selected as the only certification approved to qualify for QHIN status thus far. However, any certifying body that can adhere to the requirements listed in the SOP may be considered for inclusion in the approved list. You can keep track of that approved list here.
Meditology Services is an authorized HITRUST Assessor Organization and is the healthcare industry’s leading provider of cybersecurity certifications including HITRUST and SOC 2 certifications. Contact us to learn more about our HITRUST experience which includes certifying many of the nation's leading health information exchanges and QHINs.
2. Annual Technical Audits (Security Risk Assessments) – Organizations “must obtain a third-party security assessment and technical audit no less often than annually” and “must also provide evidence of compliance with this section and, if applicable, of appropriate mitigation efforts in response to the findings of the security assessment and/or technical audit within thirty (30) days.”
The SOP further specifies that the annual security risk audits must be completed by a qualified third party and include security control requirements consistent with HIPAA and NIST. Specifically, the assessments must use the NIST CSF, “specifically all categories in the CSF and NIST 800-171 are required, with technical audits conducted using NIST 800-53 moderate as a reference” and the “requirements of the HIPAA Security Rule including HIPAA security analysis (consistent with §164.308(a)(1)(ii)(A)).
Meditology is the healthcare industry’s leading provider of Security Risk Assessment (SRA) services. Our security risk assessments are aligned with the HIPAA Security Rule and NIST standards including the NIST CSF, SP 800-171, and SP 800-53. Meditology also serves as the HIPAA expert witness firm for the Office for Civil Rights (OCR).
3. Penetration Testing – Organizations must conduct “comprehensive internet-facing penetration testing” at least annually.
Meditology provides a full range of penetration testing services tailored specifically to the healthcare industry and designed to satisfy TEFCA requirements. Our services include, and are not limited to, network penetration testing, application security testing, cloud security testing, and vulnerability scanning.
4. Chief Information Security Officer (CISO) – Organizations must “designate a person to serve as its CISO for purposes of Signatory’s participation in QHIN-to-QHIN exchange.
Some healthcare organizations including Health Information Exchanges are not large enough to acquire a dedicated Chief Information Security Officer. Meditology offers Virtual CISO (vCISO) services which we have deployed at Health Information Exchange and QHIN organizations to satisfy the CISO requirement.
5. Internal Network Vulnerability Assessment – Organizations must conduct an “internal network vulnerability assessment, including review of the results of vulnerability scans and review of patch and vulnerability management records of its systems and applications.”
Meditology provides vulnerability scanning as a service to help healthcare entities identify and remediate known security gaps in alignment with TEFCA requirements.
6. Cybersecurity Council Membership – The Recognized Coordinating Entity (RCE), which is the Sequoia Project, must establish a Cybersecurity Council that is chaired by the RCE CISO and includes membership from QHIN CISOs. QHINs must routinely report the cybersecurity status of their programs to the council.
7. Confidentiality of Information – The RCE and all QHINs must maintain the confidentiality of any security-related information shared as part of the Cybersecurity Council or otherwise.
8. Encryption – Organizations are required to “encrypt all Individually Identifiable information held by Signatory, both in transit and at rest.”
9. Security Incident Notifications & Disclosure – “As soon as reasonably practicable, but not more than five (5) calendar days after determining that a TEFCA Security Incident has occurred, Signatory shall provide notification to the RCE and to all QHINs that are likely impacted.” Organizations must further “implement a reporting protocol by which other QHINs can provide Signatory with notification of a TEFCA Security Incident.” Organizations must also “provide information to aid the efforts of other QHINs or their respective Participants or Sub Participants to understand, contain, and mitigate a TEFCA Security Incident at the request of such other QHINs or their respective Participants.”
Organizations must also notify affected individuals in the event of a breach. “Such notification must be made without unreasonable delay and in no case later than sixty (60) days following the discovery of the TEFCA Security Incident.”
10. Subcontractor Security – Organizations must ensure that “agents and subcontractors implement the applicable security requirements set forth in the CA and the associated SOPs”. This is a simple provision in concept but can be very difficult to implement in practice.
Meditology offers comprehensive third-party risk management (TRPM) services for healthcare organizations to satisfy this TEFCA requirement. We offer tech-enabled managed services for TPRM via our sister company, CORL Technologies, the healthcare industry’s leading provider of third-party vendor risk services.
11. Cybersecurity Insurance Coverage – Organizations must “maintain, throughout the term of this Common Agreement: (i) a policy or policies of insurance for cyber risk and technology errors and omissions; (ii) internal financial reserves to self-insure against a cyber incident; or (iii) some combination of (i) and (ii).”
For more information on TEFCA, you can also watch the free replay of the webinar from CORL Technologies which features Meditology’s CEO Cliff Baker discussing TEFCA with leadership from the ONC, Sequoia Project, and EHNAC standards body: Interoperability & 21st Century Cures Act | Who Can You Trust?
Contact our team here at Meditology to learn more about how we can help you better understand and comply with TEFCA requirements for your organization or your partners and subcontractors engaged in health data exchange.