Application programming interfaces (APIs) today are transforming business processes by enabling one software program to access the data or services of another. They are particularly useful for the healthcare industry, with its closed health IT systems and siloed data stores. The ability of APIs to manage the flow of information between disparate systems is helpful in supporting healthcare data interoperability between internal apps, EHRs and other data exchange tools.
The healthcare industry today is moving to digitize its records and making them discoverable and understandable. It is also structuring them and trying to standardize them in such a way as to support automated clinical decisions and enable machine-based processing of records. In doing so, it’s important to ensure that the API connections are secure and that any vulnerabilities which open the door for unauthorized access to the data do not leak information. We list 7 such privacy and security considerations with healthcare APIs, and how they can be mitigated to succeed and get accepted.
Privacy and Security Concerns with Healthcare APIs
- With APIs, users may gain access to a lot of data as compared to limited access offered by an email interface or a web site. Even if the data is not misused for malicious purposes, the unauthorized access provided to the data can violate the privacy regulations laid down by HIPAA.
- Though managed APIs are secure, there’s a risk of privacy violation when patients access PHI without being familiar with the HIPAA Notice of Privacy Practices for Protected Health Information. Also, some patients may share their health data to third party apps and expose themselves to a possible breach of privacy. This risk can be mitigated by ensuring that the electronic access request interface provides individuals with an opportunity to approve the electronic transmission of health information in accordance with applicable legal requirements like the HIPAA right of access.
- Organizations need to establish privacy and security policies which are consistent with the PMI Privacy Principles or Security Principles to effectively address any privacy or security risks.
- A service provider’s infrastructure, security practices, and technical capabilities for hosting implementations of APIs and apps that store, and access health information will need evaluation. The API will need to be protected using Transport Layer Security (TLS) Version 1.27 or higher with strong cipher suites (such as the Advanced Encryption Standard [AES] or higher) to protect health information in transit via the API from the EHR to the third-party.
- Technical and administrative policies should ensure that the identities of both users and contributors are established and verified before granting credentials for access to or contribution of health information. Similar policies need to control the actions of anyone who wishes to issue credentials to third parties, permitting them to access their own health information.
- Establish risk-based authentication controls which correspond to the organization’s security risk assessment, and are commensurate with the type of data, level of sensitivity of the information, and user type. Technical authorization controls need to support individual privacy preferences, but limit API access, use, or disclosure based on need.
- Data integrity protection controls need to detect any unauthorized alterations made to health information which is accessible through the API. EHR patient portals which interact with the API need to be secured and protected against all known and exploitable vulnerabilities.
There is no doubt that with appropriate privacy and security safeguards in place, APIs can add value to individual-directed sharing of health information. As a matter of fact, properly managed APIs provide better security than any legacy or proprietary integration technology. By ensuring authentication, authorization, certification, encryption, and signatures, we secure and manage healthcare API exchanges better.