HHS to stand up its own version of the NCCIC for health

The Health and Human Services Department is taking a page out of the Homeland Security Department’s book, as it tries to coordinate and secure the ever-growing and complicated world of mobile health IT.

HHS will soon stand up its own version of DHS’ National Cybersecurity and Communications Integration Center (NCCIC). The center will educate health organizations and consumers about the risks of using mobile applications and data.

The Health Cybersecurity and Communications Integration Center (HCCIC) should achieve initial operating capability near the end of June, said Chris Wlaschin, chief information security officer for HHS.

“HHS is building a health care information collaboration and analysis center, just like the NCCIC, only focused on health care,” he said during an April 20 panel discussion at the ACT-IAC Mobile Health Forum in Washington. “We’ve provided grants to the National Health Information Sharing and Analysis Center to encourage a broad participation … that not just tries to reduce the noise — there’s so much noise out there about cyber threats to security and privacy — but to analyze those and deliver best practices and the two or three things that a small provider, a small office, a doc in a box can do to protect his patient’s privacy and information security around those systems.”

Sign up for the online chat with Air Force Deputy CIO Bill Marion II on May 9, at 10 a.m. (EDT).

Advertisement

HHS sees this kind of collaborative partnership as a logical step, as about 50 percent of U.S. health care organizations lack the adequate tools to deter and manage cyber breaches, according to a 2016 Ponemon Institute study. And as mobile health apps become more prevalent, the department also sees the HCCIC as opportunity to work with developers to help them more securely safeguard patient data.

“A patient doesn’t want to sign … a long electronic consent form, especially when they’re in crisis,” Wlaschin said. “They want access to health care. The services, the apps, the systems we design and approve, should deliver that.”

The Centers for Medicare and Medicaid are looking into a similar concept. Mark Scrimshire, the innovator behind the CMS Blue Button initiative, said his team has written an application programming interface that would let health application developers verify their security with a trusted source.

“Every single data holder in the industry has this problem of who do they trust with the keys,” he said. “What we’re trying to do is say, ‘Let’s try and sort this out as an industry.’ We’ve actually put together code to allow the technologists to do it.”

Patients often sign long consent forms without knowing exactly how the company behind the app uses or protects their data, Scrimshire added.

“The patient is the Achilles heel of the health care industry,” he said. “They are the only entity that is legally mandated to have a right to their data. What we’re trying to do is take the data that’s currently released today in the Blue Button text file format, which is awful to deal with, into something that’s much more manageable and really kick start the industry.”