Data Security, Risk Assessments/Management, Compliance Management

Sequoia Project takes ‘critical step’ in march toward secure data exchange for healthcare

Cmdr. Jon Giacoman (l), an anesthesiologist at Naval Hospital Jacksonville, administers anesthesia to a patient. (U.S. Navy photo by Jacob Sippel, Naval Hospital Jacksonville Public Affairs/Released)

The Sequoia Project released a draft guide for healthcare stakeholders to comply with Fast Healthcare Interoperability Resources standard for enabling secure exchange of electronic health records, asking for feedback on the policy and technical and process requirements.

The group is the chosen partner of the Department of Health and Human Services' Office for the National Coordinator to lead development and implementation of the Trusted Exchange Framework and Common Agreement, or TEFCA. TEFCA is the support framework for interoperability across trusted providers, fueled by the use of FHIR, an industry standard created by HL7 describing data formats and elements and an API interface for exchanging electronic health records. 

The draft TEFCA Facilitated FHIR Implementation Guide is a “critical step” as the Sequoia Project continues to prepare for the launch of FHIR pilots later in 2022.

Like previous interoperability guides, the group is asking for industry feedback in ensuring all policy, privacy, and security concerns are addressed as the Department of Health and Human Services works to ensure the success of its interoperability push.

Previous research led by renowned cybersecurity researcher Alissa Knight found critical flaws in the new ecosystem of FHIR apps that plug in and run on top of the EHR, directly caused by data aggregators and app developers not the FHIR standard itself. Stakeholders have previously warned of several privacy and security concerns with TEFCA, due to patient consent questions and definitions for particular data.

The FHIR implementation guide (IG) for QualifiedHealth Information Networks (QHINs) and participants in TEFCA exchange takes aim at these concerns and challenges, to ensure the exchange of TEFCA information “without relying on a QHIN to broker the retrieval of data.”

The Sequoia Project explained the “guide supports both business-to-business and consumer-facing individual access workflows and relies on the HL7 Security for Scalable Registration, Authentication, and Authorization FHIR Implementation Guide v1.0.”

The draft guidance describes the role and general requirements for patient matching and endpoint and access token lifetimes, as well as use cases and workflows. For privacy and security matters, there’s a 15-page section dedicated to infrastructure, including FHIR endpoints, authentication, and trust.

Notably, all members will be required to use the  FHIR Capability Statement resource to define their FHIR server capabilities, while implementers must provide at least one publicly discoverable Capability Statement “for each endpoint associated with a FHIR server, defining the capabilities available at that endpoint.Each endpoint shall provide access to at least one FHIR resource.”

The resource goes on to detail highly specific requirements for implementers and endpoints designed to minimize redundant data and associated maintenance and reduce out-of-date/sync capability statements and the number of centralized points to establish a connection that could fail.

As with previous frameworks, the Sequoia Project is requesting stakeholders to review the draft guidance and submit feedback until Nov. 7. The group intends to consider those recommendations as it continues to review and develop the document, as well as the final TEFCA guide.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.