- By John Fraser

How does a hospital know that a request for medical information from another hospital is a valid request, and not a forgery? How do healthcare providers electronically transmit messages to each other in a secure, encrypted format?

In the past, there has been little need to electronically connect hospitals and clinics together as most medical records were paper based. As healthcare as a whole moves to electronic medical records, the sharing of medical records becomes a critical part of modern healthcare practice. Health Information Exchanges (HIEs) are focused on helping groups of providers connect to share electronic medical information. But what is being shared, how is it being shared, and is it secure?

Most HIEs and individual providers use simple messaging, such as HL7 messaging for clinical information, NCPDP messages for eprescribing, and ANSI X12 messages for the HIPAA transactions for medical records and billing information. These healthcare messages are simple text files with very rigid formats, so different systems can send and received said messages and understand the message contents (The messages, or text files, are not encrypted when produced, however).

To ensure privacy and security, a provider could utilize a VPN (Virtual Private Network) or secure web connections (HTTPS), usually over the Internet, to secure and encrypt this healthcare messaging. VPNs and HTTPS connections provide good security, but scaling these connections isn’t popular due to the cost and the complexity of supporting up to hundreds of individual connections. Note: this scaling problem is the often called the “N squared” problem. This means that, roughly speaking, if you need to connect 10 hospitals, all 10 will need 9 connections to the others, or roughly 10 x 10 = 100 connections. With 100 participants, you would need over 5,000 connections!

As medical information becomes computerized, most message sharing still uses the VPN technologies described above. Although considered secure, the growing number of VPNs, the difficultly managing multiple connections, and the lack of any authentication between VPN infrastructures seems unlikely to scale to a national network level. Poorly configured systems, or mis-configured VPN systems can negatively impact patient privacy, allowing unencrypted communications to accidently flow over the Internet. In addition, VPNs encourage a centralized approach to connecting large numbers of players given the N/Squared problem. This can lead to centralized databases drawing the attention of hackers, or a centralized switching system that could be hacked and the messages intercepted.

The solution to this problem is NHIN, the Federally backed, standards based Nationwide Health Information Network. NHIN has taken a more global approach for connectivity and security, and a better design for connecting all of healthcare.

Be sure to read next month’s article as we continue this discussion and cover the topics of security and scalability of NHIN vs. VPNs and other connectivity methodologies!