Guidance Issued for Healthcare CISOs on Identity, Interoperability, and Patient Access

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric approach to enabling secure and easy access to patient data to meet the interoperability, patient access, and data sharing requirements of the 21st Century Cures Act.

New federal regulations tied to the 21st Century Cures Act call for healthcare organizations to provide patients with easy access to their healthcare data and ensure patients can easily share their electronic health information (EHI) data wherever, whenever, and with whomever they want. The failure of a healthcare organization to implement systems to support patient access and interoperability could be considered information blocking and would be subject to fines and penalties.

The new federal requirements are for healthcare providers and insurers to allow data sharing through Application Programming Interfaces (APIs) that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare providers and insurers are required to establish APIs to allow patients to access their EHI; however, providing patients with easy access to their healthcare data has the potential to introduce security vulnerabilities.

Health-ISAC says that in order to provide easy access to patient data, multiple privacy, security, and usability challenges need to be addressed, all of which are rooted in identity. When users request access to their data, strong authentication controls must be in place to verify that the person requesting EHI is who they say they are. For many years, patient matching problems have plagued the healthcare industry, and without a national patient identifier, those problems exist to this day. Those issues must also be addressed to ensure the correct EHI is provided.  Also, if an individual wants to only share part of their EHI, it needs to be possible for a portion of the data to be easily shared.

H-ISAC Framework for Managing Identity

Health-ISAC suggests a Framework for Managing Identity (above) that covers all of those functions; however, privacy and security issues also need to be addressed. For example, if a patient wants to authorize the use of EHI on behalf of someone else that he/she cares for, such as an elderly relative or a minor child, that must be possible. It must also be possible for a patient to delegate access privileges if they are being cared for by someone else, and for appropriate authentication controls to be in place to accommodate such requests. API-level security is also required. FHIR APIs are in the public domain, so they must be secured after authorization to use is granted.

Health-ISAC suggests that healthcare organizations should adopt an identity-centric approach to data sharing to solve these issues. “The most effective way of mitigating the risk that these issues pose to organizations is through the implementation of a modern, robust, and secure identity infrastructure that can securely authenticate and authorize users and incoming requests, enforce the appropriate consent requests, and tightly govern the use of identities,” said Health-ISAC. “By design, this is exactly what the Health-ISAC framework is meant to achieve.”

Additionally, Health-ISAC strongly recommends implementing multi-factor authentication, as while this is not explicitly required by the new ONC and CMS Rules, guidance issued by the government strongly points to the use of MFA. There are risks associated with not implementing MFA due to its importance for authentication.  The HHS’ Office for Civil Rights (OCR) has fined health organizations for HIPAA violations related to inadequate authentication in the past. Health-ISAC has produced a white paper – All About Authentication – which explains the best approach for implementing MFA.

“Identity is a journey. As the healthcare industry focuses on digital adoption, identity will continue to play a foundational role. Whether your implementation of a modern identity system is driven by regulatory and compliance requirements, security and privacy concerns, or a desire to improve customer experience, a well-architected, robust digital identity solution can address all of these drivers,” concludes Health-ISAC.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.