CIO: 3 Rules for Meeting ONC/CMS Interoperability, While Improving Cybersecurity

Healthcare data security has been a growing concern for CIOs for the last year or so, as hackers are increasingly targeting health information. Now, with a global pandemic forcing a shift to telemedicine and remote work, and new rules from the ONC and CMS introducing more regulatory burden, healthcare CIOs have more to manage than ever. Fortunately, it is possible to roll out new capabilities while simultaneously improving cybersecurity by following these three rules:

Rule 1: Think Like an Attacker

The coronavirus pandemic has forced healthcare providers everywhere to roll out new capabilities, processes, and workflows, such as telemedicine systems and new patient check-in procedures. These measures are being taken in addition to the necessary work being done to comply with the new mandates from ONC and CMS regarding patient data accessibility. Though these changes need to be implemented quickly, it’s important to follow cybersecurity best practices to avoid providing new openings for attackers. 

When a hacker sees new systems and processes being implemented, they are thinking about:

– What software is being introduced? Are there known vulnerabilities or frequently unpatched exploits associated with it?

– How are new endpoints being added and are they secure?

– Since the new ONC and CMS rules require publicly exposed FHIR APIs, how can those be attacked? Are there social engineering exploits that can provide a way around security?

– Are there ways to perpetrate identity fraud if a patient does not need to be physically present to receive healthcare?

This approach should lead to a cybersecurity plan that puts measures in place for each identified risk. By thinking like the adversary, it is possible to identify and lock down the possible attack vectors. 

Rule 2: Minimize the Attack Surface

Every way into an organization’s network needs to be secured, monitored, and maintained. The best way to make this process as efficient and fool-proof as possible is to minimize the number of ways into the network. 

This is especially difficult in light of the ONC and CMS rules, which require that clinical systems must share data through publicly available FHIR APIs. At first, this seems like a mandate to radically expand the organization’s attack surface. Indeed, this is precisely what happens if the straightforward approach of exposing every clinical system through public APIs is followed. 

A different approach, which provides the same capabilities and compliance with the rules, would be to route all API traffic through a central hub. Attaching all the clinical systems to a single point of API access provides a number of benefits:

– Most importantly, compliance is achieved while minimizing the new attack vectors.

– All traffic between clinical systems and the outside world can be monitored from a single place.

– The API hub can act as a façade that makes legacy systems compliant with the new rules, even if those systems lack native FHIR API capabilities.

The API hub need not be an expensive new component of the network architecture. Most healthcare organizations are already using a clinical integration engine to move HL7, XML, and DICOM traffic among their internal systems. The same technology can serve as an API hub. This is especially effective if a new instance of the integration engine is placed in an isolated part of the network without full access to other systems. 

Rule 3: Have an Expert Review the Defenses

Even for healthcare organizations with cybersecurity experts on staff, it can be worthwhile to bring in a cybersecurity consultant to cross-check new implementations. Novel threats are constantly shifting and emerging, making it nearly impossible for internal IT staff to keep up with the looming threats of ransomware hacks, while also adequately carrying out the day-to-day responsibilities of their jobs. For that reason, it makes sense to bring in a professional who focuses exclusively on security. It is also often useful to have an independent review from someone who is looking at the implementation from an outsider’s perspective. Independent consultants can provide the necessary guidance, risk assessments, and other security support, to set healthcare organizations up for success and operate more securely. 

Expanding an organization’s IT capabilities often means more exposure to risk, especially when implementations are subject to time constraints. However, given the value and importance of the data that’s being generated, transmitted, and stored, it is imperative not to let cybersecurity fall out of focus. By following best practices around design, implementation, and testing healthcare organizations can rise to meet the current challenges of the pandemic, address the mandates of the interoperability rules, and simultaneously improve data security measures. 


About Scott Galbari, Chief Technology Officer

As Chief Technology Officer for Lyniate, Scott leads the development and delivery of all products and services. Scott has been in the healthcare IT domain for the past twenty years and has experience in developing and delivering imaging, workflow, nursing, interoperability, and patient flow solutions to customers in all geographies. He was most recently the General Manager for multiple businesses within McKesson and Change Healthcare and started his career as a software developer.

About Drew Ivan, Chief Product & Strategy Officer

Drew’s focus is on how to operationalize and productize integration technologies, patterns, and best practices. His experience includes over 20 years in health IT, working with a wide spectrum of customers, including public HIEs, IDNs, payers, life sciences companies, and software vendors, with the goal of improving outcomes and reducing costs by aggregating and analyzing clinical, claims, and cost data.