With all the focus on confidentiality and privacy, what about health IT availability?

Most of the major information sharing initiatives under development today are designed with integration patterns that assume that most data will be accessed from the authoritative systems or organizations where it resides, rather than copied to some sort of centralized data repository. Both federated and distributed integration models have the benefit of leaving data owners in charge of their own data and able to control (through authentication and authorization methods) what information is shared with other organizations or what requests for information receive a response. Also, without a central operational data store, there is less need to establish, manage, and oversee infrastructure and services to support information exchanges using these patterns. For this and other reasons, high-profile information sharing initiatives such as the Nationwide Health Information Network (NHIN) are working to implement appropriate technical and policy measures to ensure the security of health information exchanges between authenticated participants using the Internet, but these security measures are entirely focused on protecting confidentiality (including safeguarding privacy) and data integrity. In an operational vision where health care is supported by real-time requests for patient record data potentially stored in many disparate systems, ensuring the accuracy and completeness of the information necessitates paying attention to matters of availability as well. A lot of attention in the health IT community recently has focused on health care organizational security practices such as risk assessments — required under the HIPAA security rule and specified as a measure of “meaningful use” for health care providers seeking EHR incentives available through the provisions of the HITECH Act — and the perhaps surprising proportion of covered entities that do not conduct such assessments on a regular basis. Similarly, as the HIPAA security and privacy requirements strengthened in the HITECH Act took effect this week, many healthcare organizations remain insufficiently prepared to comply with the requirements. A recently released report from IT analyst firm Forrester Research on server availability highlights the commonplace occurrence of system outages among healthcare organizations and points to the corresponding absence of reliably high availability of these systems as a key vulnerability for successful use of health IT. It is logical bordering on obvious that any integrated system for information exchange and retrieval that accesses data from its source is only reliable if all the sources are available to respond when queried. This inherent weakness in a distributed integration model is only exacerbated in the case of health information exchange using the NHIN because the core network infrastructure is the public Internet. Forrester concludes that cost is the primary barrier to providing higher availability health IT systems, so it is further indication of the lack of attention focused on this element of the “CIA triad” that forms the core of contemporary information security that there is nothing about EHR system availability (in the sense of system uptime and accessibility) in the meaningful use measures and criteria developed for the EHR incentive program.