The Centers for Medicare and Medicaid Services (CMS) strive for innovations in healthcare technologies that drive down costs and improve the patient experience. One big step forward is the 21st Century Cures Act passed in 2016, putting patients in charge of their own health records.
Then in 2021, both the CMS Interoperability and Patient Access Final Rule and the Office of the National Coordinator for Health IT (ONC) Information Blocking Rule went into effect, which aims to drive interoperability and patient access to Electronic Health Information (EHI) by liberating patient data through a data exchange using secure Application Programming Interfaces (APIs). In other words, health care organizations must now allow patients to access and share their electronic health information through the Fast Healthcare Interoperability Resources (FHIR) API.
Any organization implementing the API must also publicly document its functionality and operation by posting it directly on their website or via publicly accessible hyperlinks. The documentation must include at a minimum the API syntax, function names, required and optional parameters and their data types, return variables and their types/structures, exceptions and exception-handling methods, software components and the configurations an app must use to successfully interact with the API, and more.
The API provides access to highly sensitive health information that must be kept confidential under federal and state privacy and security rules, including HIPAA. If healthcare organizations fail to secure the data, they will face steep penalties. Given the high value that cybercriminals place on stolen health data, these organizations can expect that hackers will target these new APIs to steal patient data.
Protect Against Security Breaches
The Cures Act-mandated APIs are delivering huge benefits in patient information accessibility and in providing a platform for new technological innovations. But they also significantly increase the risk of data breaches, requiring all healthcare organizations to layer an effective security and governance protection over those new APIs. As a result, API security, patient consent management and data privacy are fast becoming major design considerations for public healthcare APIs.
But these risks can be thoroughly mitigated by implementing a Zero Trust security model that includes robust identity and next-generation API security controls. This model secures patients’ data by authenticating and authorizing all requests, continuously monitoring all FHIR API activity, remediating issues tied to third parties misusing the API, blocking hacking, and enforcing patient consent rules at the API itself by monitoring API payloads to redact or block certain data requests.
Specifically, there are six recommended steps healthcare organizations should take to properly secure the access and sharing of electronic health information via these new APIs. These steps are based on the experiences of numerous security leaders at top organizations across the U.S.
1. Strong authentication is key: Is the patient who they claim to be, or might a request be coming from someone who has compromised a patient’s account or stolen their credentials? To secure access to patient data, it’s important to leverage a robust identity infrastructure that can properly authenticate and authorize users and incoming requests. The new Cures Act rules also point to multi-factor authentication (MFA) as fundamental, given the prevalence of account takeovers enabled by weak authentications. From there, adding passwordless capabilities will strengthen security and improve the user experience.
2. Utilizing a Single User Store: Another essential element is a Single User Store, which reduces risk by using a repository for all user identities outside of EMR/EHR systems. Many health organizations have patients with the same name which can lead to exposing protected information. A central repository provides a single view for each user across all systems and helps resolve duplicate identities.
3. Enforcing dynamic patient consent authorization. Has the patient granted access to their EHI or a portion to be shared? Can someone access or share EHI on behalf of someone they care for? Collecting, managing and enforcing consent-driven access to patient data is critically important. The most effective way to enforce consent for EHI is at the API level by monitoring payloads and applying rules set by patients in real-time. This approach eliminates the need to manage and enforce consent at each data store, eliminating the risk of having any one of them improperly configured. Data would then be made available, redacted, or blocked based on the consent granted by the patient.
4. Post authorization API activity monitoring: Once access is granted, all activity must be monitored with a great level of scrutiny on a per-user basis – and not just per token or IP address. The tracked activity must also be made available for governance and forensic reports.
5. Leveraging Machine Learning (ML) to identify and block hackers: Using AI/ML analysis of all activity can more quickly identify malicious behaviors and take corrective actions such as notification and immediate blocking. ML can identify attacks that traditional web security cannot recognize, as most API breaches are executed with valid credentials. It can detect and block modern API hacking techniques, from attacks that bypass the UI to “reverse engineer” the API and take over an EHR system, to data theft using stolen credentials and any number of constantly evolving API attack methods to steal health information.
6. Using ML to catch API bugs and other mishaps in production: Another benefit of ML is recognizing API bugs, misconfigurations, and deployment issues that could lead to data leaks and other costly mishaps, while in production – and automatically block hackers from exploiting those vulnerabilities. The same technology would sort out abnormal or abusing API activity by partners and third-party application developers.
Conclusion
The Cures Act requires most health providers and insurers to create new APIs that allow patients to easily access, as well as share with other parties, their Electronic Health Information (EHI). But when new APIs are created to enable data exchange, they offer a tempting target for hackers looking to obtain valuable medical records and personal information.
Healthcare organizations can mitigate these risks by embracing a Zero Trust security model that includes a robust digital identity infrastructure and next-generation API security controls, helping them ensure both regulatory compliances as well as gain a strategic advantage.
About Bernard Harguindeguy
Bernard joined Ping Identity by way of the Elastic Beam acquisition, where he was the founder and CEO. Elastic Beam built the first hybrid cloud solution that used advanced AI techniques to deliver deep visibility into API activity and stop cyberattacks. Most recently he was Chairman, President and CEO at Atlantis Computing (award-winning storage optimization software) and the CEO of Green Border which was acquired by Google. Bernard was also the Chairman of Booshaka acquired by Sprinkler, Chairman of Norskale acquired by Citrix, Chairman of BorderWare acquired by WatchGuard, Board Member at Sygate Technologies acquired by Symantec. Bernard earned an MS in Engineering Management from Stanford University and a BS in Electrical Engineering from the University of California Irvine where he was inducted into the Engineering Hall of Fame.
