The Impact of the ONC Cures Act on API Security
In March 2020, the US Department of Health and Human Services issued the 21st Century Office of the National Coordinator (ONC) Final Rule, also known as the ONC Cures Act Final Rule. This Final Rule supports secured, limitless access, exchange, and use of Electronic Health Information (EHI).
ONC Cures Act Final Rule, apart from providing patients and their healthcare providers secure yet seamless access to health information, aims to increase innovation and trigger competition. With more competition comes innovation, as new entrants offer much wider healthcare choices and solutions for patients.
Summary of the ONC Cures Act Regulations
Due to the COVID-19 pandemic, the US Department of Health and Human Services provided an extension for compliance to the ONC Cures Act Final Rule. This extension ended on April 5, 2021.
According to the National Law Review, organizations subject to the Cures Act should have the following in place:
- An efficient configuration of digital patient portals to provide electronic health information (EHI) to patients without needless delay
- An up-to-date release of information policies
- A thorough assessment of contracts and arrangements involving EHI with any third parties should be conducted to achieve compliance with information blocking prohibitions
- Preparation of real-world testing plans, EHI data export, Application Programming Interfaces (APIs) with latest HL7 Fast Healthcare Interoperability Resources (FHIR) capabilities, and various other capabilities targeted for 2021 and 2022
ONC Cures Act Final Rule calls on the healthcare industry to adopt standardized APIs that allow individuals or patients to access and better use of EHI using smartphone applications securely and quickly.
Identity and Security Requirements of the Regulations
ONC Cures Act Final Rule, as explained in the Federal Register, lays out conditions for the compliance certification of healthcare providers. Those conditions include support for standards and published APIs that allow health information “to be accessed, exchanged, and used without special effort” and “access to all data elements of a patient’s electronic health record to the extent permissible under applicable privacy laws.” The aim of the Final Rule is nationwide transparent data portability with standardized yet agile data exchange processes.
Along with that, ONC Cures Act Final Rule can avoid many security risks associated with healthcare APIs, such as inadequate SSL certification validation, the vulnerability of Simple Object Access Protocol (SOAP), and accountability issues, to name a few.
The following are the specific identity and healthcare security requirements of the ONC Cures Act Final Rule:
- The implementation of HL7 FHIR defines the content and structure of core EHI with standardized applications.
- The use of SMART IG/OAuth 2.0/OpenID Connect to secure the authorization of the access of application architecture and of communications authentication programmed on top of it.
- An interoperable nationwide EHI exchange with standardized data classes and data elements using United States Core Data for Interoperability (USCDI).
ONC Cures Act Final Rule that allows agility of EHI also puts limits on information blocking and anti-competitive practices of the healthcare providers. The Code of Federal Regulations, with a few exceptions, allows patients to decide upon the healthcare applications that can access their EHI.
Vulnerabilities of the APIs
ONC Cures Act Final Rule ushers in an era of the widespread adoption of standardized APIs by the healthcare industry all over the globe. On the one hand, it helps individuals or patients securely access and easily makes use of EHI using smartphone applications. On the other hand, since APIs deal with sensitive data that can be easily accessible over the internet, they are vulnerable to sophisticated cyberattacks. Without question, healthcare organizations need enhanced digital healthcare security and vigilant monitoring to protect sensitive and private patient information.
More than anything else, implementing and maintaining enhanced API security is an exhaustive process. It also incurs extra expenditure on updating features or fixing bugs. This scenario demands a significant part of the API development lifecycle to maintain security.
Another concern is the consistent testing of API security. This complicated process requires hiring the right talent to identify and expose API security issues before the launch of the application.
Leveraging Cloud Solutions
According to IBM, The widespread global cloud migration can amplify the cost of cybercrime damage by nearly $300,000. As more enterprises migrate to the cloud, sensitive corporate data becomes vulnerable to cyberattacks, technical glitches, and data storage issues.
However, the increased technical difficulties, expenses, and larger talent pools associated with the integration, management, and dissemination of EHI can be overcome by cloud solutions. Today, many healthcare providers have embraced the power of healthcare cloud computing to meet the ONC Cures Act Final Rule requirements and to future-proof their Information Technology (IT) environment.
Cloud solutions eliminate the additional time and cost associated with traditional storage systems. An integrated data ecosystem that can feed multiple data centers can be easily deployed within a short period with lesser complications using cloud solutions.
Additionally, cloud solutions can empower healthcare providers to scale up and scale down their data processing resources as demands fluctuate. As an added benefit, the pay-per-use business model implemented by most cloud solutions providers worldwide makes the expensive resource procurement associated with traditional storage systems a thing of the past.
Another advantage of cloud computing infrastructure is that it provides access to data through open-source tools. That means no more data locked in silos and unwanted license expirations common with other proprietary storage solutions.
Cloud Is the Future of Healthcare
The future is healthcare cloud computing. ONC Cures Act Final Rule is the call from the future. EHI should flow smoothly and safely. Healthcare IT should provide more portable, interoperable, and patient-centric healthcare solutions. And cloud solutions are the only way forward.
RedSeal, a hybrid cloud security solution provider, helps you identify all your resources and how they are connected in your complex network environment. It allows easier validation of your security policies and prioritizes the security issues that can breach your most valuable network assets. RedSeal constantly monitors your network to find out glitches in your networking setup and ensure whether it meets the compliance standards and organizational policy.
RedSeal Cloud is a Software as a Service (SaaS)-based Cloud Security Posture Management solution that provides your cloud solutions security team with increased visibility and understanding of the provider’s infrastructure. RedSeal Cloud can help you manage the increased digital healthcare security risks with an up-to-date visualization of cloud solutions infrastructure and detailed identification of digital resources exposed to the internet. Your security team will also be bestowed with updated knowledge of Kubernetes accounts and policies.
Register for a demo to see RedSeal Cloud in action.