The key to interoperability: safe, secure access to patient health data

April 5, 2021
Lee Barrett

Interoperability is only as secure as the weakest link in the information exchange chain.

Patient data needs to be free and aggregated in a single location, when needed, but that is nearly impossible in today’s siloed healthcare environment where information blocking is rampant. Often times electronic health record (EHR) system A doesn’t speak with radiology software B. Many transitions of care are still transmitted by fax. Mounds of paper documents are piling up. And legacy software systems don’t interact with current technology, leaving large gaps in a patient’s health record.

Giving patients unfettered access to their healthcare information is the impetus behind two federal efforts, the 21stCentury Cures Act and the Interoperability and Patient Access final rule (CMS-9115-F). Together, they are designed to enable the healthcare data ecosystem through application programming interfaces (APIs) that will allow patients convenient access to their records through smartphone apps and other electronic methods. The U.S. Department of Health and Human Services (HHS) believes this approach will increase the move toward value-based care, improving the quality of care while bringing transparency into costs and outcomes.

While these new regulations apply specifically to Medicare Advantage (MA), Medicaid, CHIP, and Qualified Health Plan (QHP) issuers on the Federally Facilitated Exchanges (FFEs), the reality is that all healthcare providers and vendors will need to meet the new standards. To facilitate common information access, the Centers for Medicare & Medicaid Services (CMS), in partnership with the Office of the National Coordinator for Health Information Technology (ONC), has selected Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) Release 4.0.1 as the foundational standard to support data exchange via secure APIs.

Most important for eligible providers and hospitals, CMS will publicly report entities that may be information blockingbased on attestation to certain Promoting Interoperability Program Requirements. The idea is that patients will gravitate toward those more likely to support electronic access to their data. CMS also is expected to report on providers who have not listed nor updated their digital contact information in the National Plan and Provider Enumeration System (NPPES), including secure digital endpoints like a Direct Address and/or a FHIR API endpoint.

Together, these rules will enable patient data to be completely populated. But it may also open security issues. This is why stakeholders should prepare for compliance, which requires a heavy technology lift to ensure that connections are made and standards are met to promote interoperability, as well as safeguard data from potential data breaches per the ONC Rules.

Government and industry organizations paving the path to compliance 

When an organization starts the exploration to becoming compliant, many find a complex array of standards and organizations that are involved in the interoperability initiative. It can be difficult for even experienced IT personnel to grasp fully. The ONC created specific API Conditions of Certification to address the practices that developers of certified health IT may engage in regards to certified API technology. The goal of API Conditions of Certification is to minimize the extraordinary effort required to access, exchange, and use electronic health information through certified APIs. It is important to note that the Conditions of Certification only apply to those associated with certified API technology and not generally to other software interfaces.

The Cures Act Final Rule calls for open APIs to encourage secure access to data for applications, but how do providers make sure the apps they are using meet the API Conditions of Certification requirements? While HL7 FHIR Release 4.0.1 is the common standard, two other organizations are developing use cases that the FAST team is leveraging.

The Da Vinci Project and the Argonaut Project are private industry projects under HL7 International. Da Vinci is developing industry use cases primarily for payers and health plans, while Argonaut is working on expanding information sharing for electronic health records and other health IT. The FHIR at Scale Taskforce (FAST) is working with both groups. For testing and certification, the tiger team is determining the criteria required for automated test scripts and identifying potential testing platform(s) for APIs.

Progress is also being made by other industry organizations who are working with qualified health information networks (QHINs) and the Trust Exchange Framework with Common Agreement (TEFCA), which is driving infrastructure development to allow data exchange with QHINs. This is critical for QHINS and other entities who are under competitive pressures to continually ensure compliance with regulatory requirements, business metrics and best practices. The Sequoia Project as the designated Recognized Coordinating Entity (RCE) by ONC is developing a Common Agreement (CA) that will significantly reduce the number of legal agreements between QHIN’s, Participants and others to enable this level of data exchange to occur as well as to help promote interoperability between the stakeholders.

Despite these concerted efforts by many government and industry organizations, healthcare providers will ultimately remain responsible for the privacy and security of the data flowing through their IT infrastructure.

Although challenges remain, third-party accreditation can help

Bringing true interoperability to the patient record will be a game-changer for patients, for providers and for the industry. However, much heavy lifting must be accomplished before that vision can become reality, taking pains to ensure that each connection is secure from cyber criminals. While these are truly unprecedented times, organizations across the healthcare ecosystem must continue to ensure that their technology infrastructure remains immune to accidental or purposeful data breaches.

In fact, with more workforces going remote and virtual care technologies like telehealth becoming a mainstay for many providers, the COVID-19 has provided new risk penetration points for cybercriminals who continue their offensive with sophisticated attacks on hospitals and health systems.

A typical hospital may have up to 150 individual connections that will need to be made through APIs. Some likely already exist, between the EHR and the pharmacy system or Radiology, for example. But unlike many other industries that long ago developed common API standards, healthcare didn’t.

Many EHR vendors wanted to keep information in their systems proprietary, so EHR vendor A has certain standards, while vendor B has a different set, making it difficult for patients who navigate multiple healthcare settings or get sick/injured while traveling. Many of the EHRs are working toward standardized APIs, but we're not there yet.

As vendors develop APIs for the products to bring interoperability, hospitals, health systems and providers need to develop their own infrastructures that address how they're going to handle these APIs, including server and infrastructure capability. They also need to develop the necessary architectures to map how data will flow among various system and interfaces, both internally and externally.

Significant questions exist about the compatibility and security of each API, as well as the overall security of these interfaces. Potential dangers include poor endpoint security, lack of robust encryption, business logic vulnerabilities and authentication flaws.

Interoperability is only as secure as the weakest link in the information exchange chain. The potential for a HIPAA violation, a data breach, a ransomware attack or other cyberattack remains high, which is why healthcare providers, software vendors and others should explore certification and accreditation programs to bring the rigor of a third-party examination to these new connections.

A healthcare data breach costs an organization more than $7 million, on average. That includes direct costs such as lost revenue and customer turnover, as well as impacts to a company’s reputation and higher costs for customer acquisition.

Interoperability is a great ideal, but the reality could be fraught with peril for providers.

Conclusion

The possibility of interoperability in patient data is exciting. Some version of an integrated patient record has been promised for decades, but the reality has remained elusive amid proprietary software, the sheer number of care settings, and the range of medical departments required to provide comprehensive patient care.

For hospitals, health systems and other providers, the time is now to prepare for a future when medical records follow the patient across care settings. That preparation should include mapping the technologies used by various departments, providers and devices that will need to be connected both within and without of the facility.

Despite the use of APIs that leverage HL7 FHIR technology, more questions than answers remain about how providers will ensure end-to-end security. How will each vendor fit into the provider technology environment? What's the architecture? What's the design?

True interoperability hinges on stakeholder trust throughout the system. Validating information security through certification or accreditation can go a long way toward establishing that trust while protecting providers from HIPAA violations, cyberattacks or data breaches that can destroy trust and take millions of dollars to remediate.

The healthcare ecosystem needs to continue to collaborate and work together to address these challenges and “move forward” with implementation of the interoperability architecture outlined by ONC. This includes focusing on providing the highest level of stakeholder trust for all healthcare “actors” – patients, providers, health plans and many others – to foster adoption and realize the benefits which will occur.

Lee Barrett is executive director and CEO of the Electronic Healthcare Network Accreditation Commission (EHNAC)where he continues to work on key HIT industry initiatives that lay the foundation for health information technology – including support and implementation of key healthcare legislative mandates and speaks nationally regarding security, privacy, ransomware and cybersecurity risk management/assessment and mitigation strategies, tactics and best practices. He is a member of both the Executive Steering Committee for the ONC Payer + Provider FAST FHIR Task Force and the HHS Cybersecurity Task Force (405d), and Chair of the National Trust Network Data Sharing and Cybersecurity Task Group.