Understanding the HIE's Privacy & Security Practices
Network
HealthInfoNet’s network is protected by a dedicated firewall, which denies any unauthorized connection attempts and maintains logs that are actively reviewed. The network is continually protected from and monitored for potential threats. It also has an intrusion prevention system providing a second level of security in the rare case that a connection to the network is made. This system prevents hackers from getting any information off the servers and immediately alerts the HealthInfoNet security team of unknown connections.
User Accounts
HealthInfoNet creates and manages all user accounts for individuals who have access to the health information exchange, maintaining three levels of user access (with only clinicians and their support staff granted access to patient information). After a user has been “authorized” by HealthInfoNet, they are securely sent login information and required to change their password immediately. Passwords must be unique and can only be reset by authorized personnel who can verify the user’s identity.
Data
HealthInfoNet uses a secure data center monitored with 24-7 surveillance and a security card access system. All data are sent through a VPN and encrypted using SSL-256 when transmitted. Personal identifiable information is encrypted at all times and stored separately from clinical data. The HIE portal is read-only and can be entered only through encrypted connections created by HealthInfoNet. All databases use encryption of data in motion and at rest, which ensures that in the unlikely event of a breach the data would be unreadable.
Audits
HealthInfoNet audits provider activity logs on a daily basis. All users, including their staff, have a unique identifiable account to maintain secure access and audit trails. Each participating provider site can also query these logs and provide activity reports to patients at any time. HealthInfoNet also performs an annual third-party audit and bi-annual penetration test to ensure all technology has necessary security measures in place and is compliant with all privacy and security requirements.
Policies
HealthInfoNet adheres to a wide range of policies related to privacy and security areas such as personal workstation security, risk analysis, access authorization, data protection, and audit procedures. The organization also maintains policies and procedures to respond to events such as a breach or other security incidents and threats consistent with state and federal law, including notification of patients.
Click here for more information about laws and regulations enforced to keep healthcare information private and secure.