Understanding Cybersecurity Requirements for TEFCA: A Comprehensive Guide

• April 10, 2024

The Trusted Exchange Framework and Common Agreement (TEFCA) is a game-changer for healthcare data exchange in the US. By enabling participation across multiple Qualified Health Information Networks (QHINs), TEFCA streamlines the flow of vital patient information. However, this simplification comes hand-in-hand with heightened cybersecurity responsibility. Let's delve into the key TEFCA requirements that ensure the secure exchange of protected health information (PHI).

A Web of Responsibility: Cybersecurity for All Participants

Prior to TEFCA, individual HIEs (Health Information Exchanges) had to establish their own security protocols for data exchange. TEFCA changes the landscape by allowing participation from multiple QHINs. This interconnectedness necessitates a standardized approach to cybersecurity across all entities involved. The Sequoia Project, a non-profit organization instrumental in TEFCA's development, addresses this by outlining comprehensive cybersecurity requirements for all participants.

What is TEFCA?

TEFCA stands for the Trusted Exchange Framework and Common Agreement. It is a federal government initiative from the Office of the National Coordinator (ONC) for Health IT. The goal of TEFCA is to create a secure standard model for healthcare entities to exchange health information across the nation.

The Role of TEFCA in Health Data Exchange

Under the final version of TEFCA, healthcare organizations must apply to become a Qualified Health Information Network (QHIN) to join the network of health information exchange. To achieve the QHIN status, healthcare organizations must fulfill specific requirements, including several cybersecurity provisions.

RELATED: A Guide to Healthcare IT Compliancey

Understanding TEFCA Cybersecurity Requirements

The Common Agreement of TEFCA and the Standard Operating Procedures (SOP) document released by the Sequoia Project contain the most relevant cybersecurity mandates. Let's delve into the ten core provisions:

1. Third-Party Certification

   Organizations must achieve and maintain third-party certification to an industry-recognized cybersecurity framework. Currently, HITRUST r2 certification is the only approved qualification for QHIN status.

2. Annual Technical Audits

   Organizations must obtain a third-party security assessment and technical audit annually. The audit must align with the HIPAA Security Rule and NIST standards, specifically NIST CSF and NIST 800-171, with technical audits conducted using NIST 800-53 as a reference.

3. Penetration Testing

   Comprehensive internet-facing penetration testing must be conducted by organizations at least annually. These simulated cyberattacks help identify vulnerabilities in QHIN systems before malicious actors can exploit them. By proactively addressing these weaknesses, QHINs can significantly strengthen their defenses against real-world threats.

4. Chief Information Security Officer (CISO)

   Organizations participating in QHIN-to-QHIN exchange must designate a person to serve as a CISO.

5. Internal Network Vulnerability Assessment

   Organizations must carry out an internal network vulnerability assessment, including reviewing the results of vulnerability scans and patch and vulnerability management records of its systems and applications.

6. Cybersecurity Council Membership

   The Recognized Coordinating Entity (RCE), currently the Sequoia Project, must establish a Cybersecurity Council. The RCE CISO chairs the council, and QHIN CISOs must be part of the membership, regularly reporting their cybersecurity program status to the council.

7. Confidentiality of Information

   The RCE and all QHINs must maintain the confidentiality of any security-related information shared as part of the Cybersecurity Council or otherwise.

8. Encryption

   Organizations are required to encrypt all individually identifiable information, both in transit and at rest.

9. Security Incident Notifications & Disclosure

   Organizations must notify the RCE and all likely impacted QHINs of a TEFCA Security Incident within five calendar days of determining that the incident has occurred.

10. Subcontractor Security

    Organizations must ensure that their agents and subcontractors implement the applicable security requirements set forth in the Common Agreement and the associated SOPs.

11. Cybersecurity Insurance Coverage

    Organizations must maintain a policy or policies of insurance for cyber risk and technology errors and omissions. Alternatively, they can have internal financial reserves to self-insure against a cyber incident or a combination of both.

RELATED: TEFCA: How Does It Empower HIE and Streamline Interoperability?

Upcoming TEFCA version 2.0 Updates

ONC is planning to publish Common Agreement Version 2.0 in the first quarter of 2024, which will include enhancements and updates to require support for Health Level Seven (HL7®) Fast Healthcare Interoperability Resources (FHIR®) based transactions. The upcoming TEFCA 2.0 update further strengthens security measures while simplifying participation for a more interconnected healthcare landscape. Here's a closer look at what's new:

1. Security Stays Strong, But Adapts: Core security requirements remain robust in TEFCA 2.0. Patient privacy and data protection are paramount.
2. Easier Connections, More Flexibility: TEFCA 2.0 streamlines connections. Participants can now connect directly, not just through a single QHIN (Qualified Health Information Network). Additionally, organizations can participate in multiple QHINs, as long as they use different systems for each connection. This enhances flexibility and fosters a more adaptable network.
3. Encryption for All: Data security gets a major boost. TEFCA 2.0 mandates encryption of sensitive health data for all participants, including Health Information Exchanges (HIEs) and Business Associates (BAs). This extra layer of protection minimizes the risk of data breaches.
4. Focus on Modern Data Exchange: TEFCA 2.0 embraces the future of healthcare data exchange by supporting wider use of FHIR (Fast Healthcare Interoperability Resources). This standardized format facilitates seamless data exchange, but requires additional identity verification steps to ensure security.
5. Clearer Incident Reporting: TEFCA 2.0 clarifies incident reporting protocols. A "purple decision tree" helps determine if an incident falls under TEFCA or HIPAA reporting requirements, or both. This eliminates confusion and ensures timely notification of security breaches.
6. Focus on Continuous Improvement: TEFCA 2.0 emphasizes ongoing security improvements. QHINs must actively address identified weaknesses and share this information with participants. This collaborative approach strengthens the overall security posture of the network.
7. Non-HIPAA Entities Take Responsibility: Organizations not covered by HIPAA, like certain BAs, must now encrypt healthcare data at rest and in transit. This ensures a higher level of protection for sensitive patient information, even outside the traditional HIPAA framework.
8. TEFCA and HIPAA: Working Together: TEFCA and HIPAA reporting requirements can sometimes overlap. The key factor is the type of data involved and its encryption status. TEFCA 2.0 clarifies these situations and avoids duplicative notifications to patients.

Overall, TEFCA 2.0 represents a significant step forward for secure healthcare data exchange. By simplifying connections, strengthening security measures, and promoting collaboration, TEFCA 2.0 paves the way for a more efficient and secure exchange of vital patient information across the US healthcare system.

Wrapping Up

As healthcare continues to evolve towards a more interconnected and data-driven landscape, compliance with frameworks like TEFCA becomes paramount. KPi-Tech, as a leading Healthcare Interoperability company, is committed to assisting healthcare organizations in navigating these intricate requirements seamlessly.

Our expertise lies in providing tailored solutions that align with TEFCA's stringent cybersecurity mandates, ensuring your organization not only meets but exceeds the necessary standards for secure health data exchange. From third-party certifications to annual technical audits and penetration testing, we offer comprehensive services that cover all facets of TEFCA compliance.

Furthermore, with the upcoming release of TEFCA 2.0 and its enhanced security measures, our team remains at the forefront of industry advancements, ready to guide your organization through the latest updates and requirements.

Partnering with KPi-Tech means gaining a trusted ally dedicated to enhancing your cybersecurity posture, streamlining data exchange processes, and fostering a culture of continuous improvement in healthcare interoperability. Together, we can build a resilient and efficient healthcare ecosystem that prioritizes patient privacy and data security while facilitating seamless information exchange across the nation.

Reach out to us today to discover how KPi-Tech can empower your organization to thrive in the era of secure and standardized health information exchange under TEFCA.