NeHII recognizes that consumers are concerned with the security and privacy of patient information. Cognizant of that concern, this statement addresses the issues of integrity, confidentiality and availability as they encompass patient data and application services.
In recognition of stakeholder security concerns, the mission, vision and goals of NeHII explicitly state that a secure exchange of information is absolutely essential, with the understanding that information security involves protecting the integrity and confidentiality of the data.
The HIE application is very flexible allowing for security configuration options which can be uniquely modified to the specifications of NeHII requirements.
Access to the application is governed by IBM’s proven infrastructure for secure messaging. This authentication process screens and verifies both users and programs wishing to gain access. The process provides accountability and is the foundation for all security functions or requests.
Browser authentication is performed by Netscape Communications SSL v3 (Secure Socket Layer) protocol which provides communications privacy over the internet to prevent eavesdropping, tampering and message forgery between client/server applications. The application uses the strongest encryption allowed by both domestic and international regulations.
Application access is controlled using user names and passwords encrypted with SSL and a third party digital certificate provided by VeriSign. Password strength and change rules can be enforced based on particular customer requirements. Security within the application is further controlled using roles. Numerous roles can be defined – each with a unique level of security and access permissions as defined and regulated by HIPAA guidelines.
The application provides for a matrix of access configurations which include user roles, feature regulation (e.g. VHR, eRx), establishment of patient-provider relationships which determine access to restricted PHI (Protected Health Information), and workgroup-level security configurations. Development of an acceptable security model ensures security of PHI while enabling necessary and appropriate access (availability) to data.
All network traffic is encrypted using either SSL or VPN (Virtual Private Networks) and VPN gateways implemented with IPSec (Internet Protocol security) standards. The IPSec utilizes the most up-to-date and proven authentication procedures and encryption algorithms. As well, all network communications going into and out of the data center pass through redundant firewalls, limiting traffic to only specific IP addresses and ports.
A usage analyzer tool is available to allow NeHII administrators the ability to generate HIPAA and security audits within the HIE application. These audits will provide the ability for NeHII privacy and security officers to investigate patterns of usage and confirm adherence to HIPAA requirements.