Back to Intelligence

TEFCA Integration for Epic & SSA: Securing the New Disability Benefits Data Pipeline

SA
Security Arsenal Team
April 9, 2026
4 min read

Introduction

Epic Systems has announced that select health systems can now transmit patient medical records directly to the U.S. Social Security Administration (SSA) via the Trusted Exchange Framework and Common Agreement (TEFCA). While this integration promises to accelerate disability benefit determinations by up to 50%, it fundamentally alters the ePHI (electronic Protected Health Information) attack surface for affected organizations.

For defenders, this is not just a process improvement; it is a new external data bridge that must be treated with the same rigor as a third-party VPN or API integration. The automatic exchange of sensitive clinical data introduces risks related to data leakage, unauthorized patient matching, and the expanded attack surface presented by connection to a federal network. Security teams must immediately verify that their TEFCA exchange participants adhere to strict security baselines and that outbound data flows are explicitly monitored.

Technical Analysis

While this integration does not exploit a specific CVE, it introduces a new technical vector for ePHI exposure that relies on complex interoperability standards.

  • Affected Products/Platforms: Epic Systems EHR (specifically modules utilizing "Care Everywhere" and TEFCA-enabled gateways), TEFCA Qualified Health Information Networks (QHINs), and the Social Security Administration's adjudication systems.
  • Protocols & Standards: The exchange utilizes IHE (Integrating the Healthcare Enterprise) profiles, specifically Cross-Enterprise Patient Discovery (XCPD) and Cross-Enterprise Document Reliable Interchange (XDR), routed over the TEFCA network.
  • Architecture & Risk Surface:
    • QHIN Connectivity: Your organization connects to a QHIN (e.g., EpicShare, eHealth Exchange). The QHIN then routes the query to the SSA. This creates a daisy-chain of trust. If the QHIN is compromised or misconfigured, your ePHI could be exposed to unintended recipients.
    • Patient Matching: The automation relies on accurate patient demographic matching. Defensives must ensure that mismatches do not result in one patient's disability data being sent to another's file or accessed improperly by SSA staff outside the scope of the request.
    • "In-The-Wild" Status: This is a functional feature now active in production environments. The "threat" is the potential for misconfiguration (e.g., sending full records instead of required summaries) or the lack of auditing on these new automated outbound streams.

Detection & Response

Executive Takeaways:

  1. Map the Data Flow: Immediate identification of which Epic instances and specific departments (e.g., Disability Services) are enabled for TEFCA-SSA routing. You cannot protect what you cannot map.
  2. Audit Patient Consent: Validate that the system respects patient consent directives before transmitting data to the SSA. TEFCA routing does not override HIPAA Privacy Rule minimum necessary requirements; ensure your Epic configuration filters data strictly to what is required for disability adjudication.
  3. Implement QHIN Monitoring: Do not treat the QHIN connection as a "set and forget" firewall rule. Demand logs from your QHIN provider regarding successful and failed queries to the SSA, and correlate these with internal Epic access logs to detect anomalous bulk retrieval attempts.
  4. Review Data Minimization Settings: Work with Epic analysts to ensure that the Clinical Document Architecture (CDA) documents sent to the SSA do not include non-sensitive social history or behavioral health notes that are not pertinent to the disability claim, thereby reducing privacy liability.
  5. Incident Response Playbook Update: Update your IR playbooks to include TEFCA QHINs as a critical third party. If a breach occurs at the QHIN or SSA level, you must have a predefined communication channel to assess exposure of your organization's data.

Remediation

  • Configuration Verification: Access the Epic "Care Everywhere" admin console. Review the organization participation settings to ensure that external queries from SSA are only processed when explicitly initiated by a valid internal user request and that the query origin is verified.
  • Log Ingestion: Ensure that Epic Interconnect (Hyperspace) logs regarding outbound XCPD/XDR transactions are ingested into your SIEM. Look for high-volume queries from single SSA endpoints, which may indicate automated scraping or enumeration.
  • Network Segmentation: Ensure the servers hosting the TEFCA gateway components are segmented from the general clinical network and subject to strict egress filtering.
  • Vendor Advisory: Consult the EpicCare Interconnect Security Guide and the ONC TEFCA documentation to ensure your specific QHIN router version supports the latest security patches and TLS 1.3 standards.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwareepic-systemstefcaephidata-privacyhealthcare-it

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
TEFCA Integration for Epic & SSA: Securing the New Disability Benefits Data Pipeline | Security Arsenal | Security Arsenal