Better Healthcare to be Driven by Standardization of Cyber Risk Management at the State Level

By Sean Martin, HITRUST® Independent Security Journalist

Earlier this year, the New York eHealth Collaborative (NYeC), in conjunction with the New York State Department of Health, announced and released its SHIN-NY 2020 roadmap, Improving Health in Our Communities which defines the next phase of the Statewide Health Information Exchange for New York (SHIN-NY).

There is a lot of interest in this topic by, including the attendees from a recent HITRUST Community Extension Program event in Seattle. Many in the industry are curious to know where things are headed regarding what statutory entities are doing concerning standardized risk management throughout a State’s healthcare ecosystem. With the goal of providing better health services and better health care by embracing standards for cyber risk management, it seemed that now would be a good time to dig in to this topic a bit more to understand what NY is doing – and how/where others are following suit.

A Deeper Look at SHIN-NY

SHIN-NY is the “engine powering New York’s digital health transformation” whereby it provides “a way for healthcare professionals to easily and securely share electronic health information.” This program will have a significant impact on the overall healthcare system in New York as it is the means through which the Empire State can “improve patient safety and care while reducing wasteful costs in the system.”

According to the roadmap, clinical information is currently being shared across the State through a “network of networks” consisting of eight Qualified Entities (QEs) and a statewide connector that provides the secure sharing of important clinical data from participating providers’ electronic health records (EHRs). Participants include hospitals, clinics, labs, radiology centers, ambulatory physicians, home care agencies, nursing homes, long-term care facilities, public health departments, health plans, behavioral health providers, DOH and Federally-Qualified Health Centers (FQHCs), among others.

“The strategies outlined in the Roadmap set the course for the ongoing evolution of the SHIN-NY and allow us to fully realize our goal of transforming healthcare in New York State through health information exchange,” said David H. Klein, Chair of the Board of Directors of NYeC; Professor, and Special Advisor to University of Rochester Medical Center in a recent press release.

With Electronic Informaiton Sharing Come Cyber Risk

Of course, once a set of network and Internet-connected computer systems and applications begin to collect and transmit data, this data finds itself at risk of loss, theft, tampering, and other accidental and malicious access and activity.

Recognizing this trend, new technologies, usability, interoperability and standards, and cybersecurity threats comprise half of the list of 8 driving forces behind the new SHIN-NY roadmap, where the highest security, reliability and up-time levels remain a top priority for the NYeC.

To address the risks associated with unauthorized access and/or use of electronic health information, NYeC and the SHIN-NY are set to leverage the fact that New York’s Department of Financial Services has already adopted some cybersecurity regulations and are responding positively to the many health plans in the state that are demanding elevated security requirements via a HITRUST® certification.

More specifically, SHIN-NY plans to require HITRUST certification for QEs and NYeC by the end of 2018. According to the roadmap:

“Beginning in state fiscal year 2018-19, performance payments to QEs will be based in part on achievement of the above metrics and goals. In 2017-18, an additional QE funding pool will be used to assist with attainment of HITRUST certification and there will be competitive pools focused on user connections, data contribution, and data quality. There will be additional measurement metrics that will be collected, reported, and analyzed regularly. NYeC is developing a provider directory to support these efforts.”

With the goal of securely providing access to patients’ electronic medical records wherever and whenever the providers (and patients) need it, for the program to succeed on a large scale, maximum participation is essential, hence the requirement for the QEs to participate. To maximize the value of the program, collaboration and contribution are encouraged amongst the following healthcare entities and stakeholders, including but not limited to:

  • Hospitals
  •  Academic Medical Centers
  •  Small Private Practices
  •  Clinics
  •  Physicians
  • Long-Term Care
  • Home Care
  • Hospice
  • Laboratories
  • Pharmacies
  • Public Health
  • Behavioral Health
  • Community-Based Organizations
  • Industry associations
  • Patient advocates
  • State agencies

More Than Risk Management: There’s Value to the Patients, Providers, and the Overall Healthcare System

Often, the topic of security focuses on the negative impact a lack of security can have. And, flipping the coin to the other side and looking at risk management, the story is often equally boring; making one seemingly expensive trade-off over another to mitigate something bad from happening to the organization.

In this case, however, there is a notable return coming from this program where the state of NY is set to:

  • Expand its risk view across multiple standards and regulations (covering more with less)
  • Gain consistency in how it assesses its risk (reducing errors)
  • Drive efficiencies throughout the healthcare system (assess once, report many)

Comprehensive Reporting Across Multiple Regulations

With the HITRUST CSF®, Qualified Entities can assess and report against their risk level from multiple angles, including HIPAA, PCI-DSS, and even the New York State Department of Financial Services 23 NYCRR 500.

Gone are the days of looking at all of these standards and regulations as independent, disparate activities. Assessing all of them, together, represents a huge benefit to each individual entity and to the healthcare ecosystem as a whole, especially since this relatively new NY regulation places additional demands on third-party vendors, including healthcare providers—which are now indirectly covered by these new rules.

The HITRUST CSF harmonizes multiple standards and best practices—including these and others—to support a single assessment.

Consistency Throughout the Ecosystem

As the use of electronic health records spans the entire healthcare ecosystem, so does the need to have a consistent view of risk throughout this ecosystem. By having the ecosystem participate in the exchange with a consistent view of risk and a consistent reporting of risk, the exchange can get a much better view of the risk it holds. The single assessment report provided by the HITRUST CSF can be used by any and all risk and security management stakeholders such that they can have a consistent view and consistent conversations surrounding risk.

Efficiency: Assess Once, Report Many

As each entity in the healthcare ecosystem begins to assess and report on their own risk posture in support of this program, it’s almost certain that other entities – within the ecosystem for which they are partners and doing business with – will ask them to produce a similar set of reports for their own third-party risk management program. The value of the HITRUST Third Party Assurance Program is that it streamlines the third-party risk management by providing consistent, comprehensive assessments that may be reported out in multiple ways, to multiple parties.

In Closing

By capitalizing on these benefits, NYeC can move full steam ahead to embrace new technologies and processes in support of providing improved, more informed, and noticeably streamlined health services to its patients while reducing waste and improving efficiency throughout the healthcare supply chain.

“Ultimately, the SHIN-NY will create a 360°-view of a patient’s health, empowering them and their care team to create a treatment plan that addresses not only an illness or injury, but underlying conditions, medical history, and social determinants of health,” said NYeC Executive Director Valerie Grey in a statement made to Kate Monica at EHRIntelligence.

Learning More

The following resources are available to help you learn more about this topic.

NYeC / SHIN-NY Resources:

NY DFS NYCRR 500 Regulation:
SHIN-NY Roadmap:
SHIN-NY Roadmap 2020 Extended Presentation:

HITRUST Resources:

HITRUST Third Party Assurance Program:
HITRUST Community Extension Program:
Original date of publication December 13, 2017

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals