Anyone who has needed to schedule an appointment with a new doctor or meet with a specialist knows the hassle of making sure everyone in the health care chain has access to your health records. Digital record-keeping has made that a little easier, but that access still isn’t universal. Digital health care interoperability can still be a challenge.

That should all change in 2022 when the Trusted Exchange Framework and Common Agreement (TEFCA) goes live. The Department of Health and Human Services Office of the National Coordinator for Health IT (ONC) is driving the effort, which will define “a common set of principles, terms and conditions to support the development of a Common Agreement that would help enable nationwide exchange of electronic health information (EHI) across disparate health information networks (HINs).”

On the one hand, this is a much-needed advance. It can make it easier for health care workers and patients to share and access protected health information (PHI). TEFCA will also drive health care interoperability. On the other hand, TEFCA could present major challenges. It affects PHI security, data privacy and overall HIPAA compliance and health care interoperability and cybersecurity overall.

The Overall State of Health Care Cybersecurity

Health care cybersecurity is in a tenuous state. Attacks against the health care industry increased by more than 55% in 2020, according to a study from Bitglass, compromising the PHI of at least 26 million patients across the country. During the pandemic, one in three health care facilities had to deal with a ransomware attack, according to Sophos.

When it comes to data breaches, health care has paid a price beyond any other industry. IBM’s Cost of a Data Breach report found the average total cost of a data breach in 2021 is $9.23 million, almost $2 million more than the cost in 2020. The costs jumped $1 million when remote work was a factor in the breach. One in five breaches involved remote workers.

“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” Chris McCurdy, vice president and general manager, IBM Security, told HIPAA Journal.

How Health Care Interoperability Impacts Security

When TEFCA goes into effect, the change will lead to greater data access and a stronger reliance on APIs. It also opens avenues for private vendors to connect with state and local health information exchanges (HIE).

The idea behind health care interoperability is to connect multiple networks with no effort by users. However, this could result in a security nightmare. ONC said TEFCA will “increase secure and appropriate access to data” to help. It will also follow HIPAA-defined payment activities and health care operations. However, there are still a lot of questions surrounding the overall privacy and security surrounding PHI. For example, who will the law hold responsible for data breaches and data privacy compliance violations?

For example, TEFCA use is voluntary. Individual municipalities may decide to forgo TEFCA for another HIE. However, someone will have to be held to account for a widespread data breach caused by a mutual third-party vendor. This interoperability of technology and cybersecurity not only needs to exist across a single organization but now also across HIEs.

Security and Privacy Is a Team Effort

As health care organizations move to adopt TEFCA, it will take a lot of teamwork and a lot of planning ahead to ensure security.

“Privacy and security teams must be involved from the planning and design stages to facilitate the inclusion of privacy and security requirements,” IAPP reported. Protocols must be put in place from the beginning. Third-party vendors and applications must provide full transparency into their security and data privacy compliance. Any steps already in use to apply HIPAA regulations to APIs and other technology infrastructure must continue in HIEs.

Health care interoperability is a logical next step in the digital transformation and as the pandemic crisis continues. Organizations must carefully put security protocols and systems into place before anything goes live, however.

More from Data Protection

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates.Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?[button link=""…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read