An office assistant searches for a patient's misplaced medical file at a family clinic amid a transition to an electronic health records system. (Photo by John Moore/Getty Images)

The Health-ISAC released new guidance that aims to support provider organizations with the adoption of identity-centric approach to data sharing, in light of ongoing interoperability mandates and the continued digital transformation in healthcare.

Under the 21st Century Cures Act, all covered entities and relevant business associates are required to timely share patient data upon request with patients and covered entities. The interoperability plan relies heavily on APIs that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard.

But as recent research confirmed, challenges within the API developer ecosystem pose serious risks to patient privacy and security. As such, the guidance is designed to help providers implement the much-needed, strong identity solutions to keep electronic health information secure.

The guidance is the fourth installment in the H-ISAC series that aims to support chief information security officers with better understanding the need for an identity-centric approach to data sharing processes and supporting compliance requirements with Cures Act directives.

“These new interoperability mandates pose significant challenges, not the least of which is ensuring that new systems deployed to enable information sharing do not create new security concerns,” H-ISAC officials explained in the release.

“Digital identity is front and center in these new interoperability architectures, given the importance of ensuring that only the right people can access sensitive electronic health information,” they continued.

Healthcare CISOs can leverage the guide to gain insights into the new data-sharing regulations, as well as the security concepts needed to enable broader data access and overall data exchange. In addition to compliance and security elements, the paper also addresses the benefits of identity solutions in modernizing care delivery and enabling digital innovation.

The guidance also clears up questions surrounding multi-factor authentication, including authentication requirements from the Department of Health and Human Services and ongoing compliance and security risks posed by inadequate authentication.

H-ISAC recommends providers issue high-assurance digital credentials for patients or partner with an organization that does, as there may be forthcoming authentication requirements from the Department of Health and Human Services. 

Acting now would enable provider organizations to address these requirements before they’re mandated. For example, although API requirements have dominated conversations around the interoperability regulations, the Office of the National Coordinator has also recommended additional government requirements for high assurance identity vettering and authentication.

ONC plans to leverage the Trusted Exchange Framework and Common Agreement to support more secure exchange of EHI across health information networks (HINs). The framework is scheduled to go-live in 2022.

The agency recently released a breakdown of the progress of interoperability efforts since the enactment that outlined the requirements and exceptions, as well as resources to support the initiatives within provider organizations.

H-ISAC may release a more in-depth look at global laws, rules, and regulations around data sharing in a future paper. For now, providers should review the new guidance to better understand the role of identity in interoperability efforts, step-by-step needs for identity management and access controls, and other related recommendations and concerns.

“The most effective way of mitigating the risk that these issues pose to organizations is through the implementation of a modern, robust, and secure identity infrastructure that can securely authenticate and authorize users and incoming requests, enforce the appropriate consent requests, and tightly govern the use of identities,” according to the guidance.

“By design, this is exactly what the H-ISAC framework is meant to achieve,” it added.