Guidance Published for Healthcare CISOs Regarding Identity, Interoperability, and Patient Access

The Health Information Sharing and Analysis Center (Health-ISAC) has released guidance for Chief Information Security Officers (CISOs) on adopting an identity-centric strategy to enable safe and quick access to patient information to satisfy the interoperability, data sharing, and patient access demands of the 21st Century Cures Act.

New federal rules associated with the 21st Century Cures Act calls for healthcare companies to give patients quick access to their healthcare information and make sure patients could quickly share their electronic health information (EHI) data whenever, wherever, and with whomever they need. The inability of a healthcare company to put in place systems to provide patient access and interoperability can be regarded as data blocking and can be fined and penalized.

The new government rules require healthcare companies and insurance providers to permit data sharing via Application Programming Interfaces (APIs) that run on the Fast Healthcare Interoperability and Resources (FHIR) standard. Healthcare companies and insurance providers need to set up APIs to enable patients to get access to their EHI; nonetheless, giving patients quick access to their healthcare information can potentially bring in security vulnerabilities.

According to Health-ISAC, in order to give quick access to patient information, a number of issues on privacy, security, and usability must be addressed, which are all grounded in identity. If users ask for access to their information, tough authentication controls should be set up to confirm the identity of the person asking for EHI. For several years, patient matching issues have seriously affected the healthcare sector, and with no national patient identifier, those issues are still present today. Those concerns should also be dealt with to make sure the right EHI is given. Additionally, if a person would like to only disclose a portion of their EHI, it must be possible to easily share just a portion of the information.

H-ISAC Framework for Handling Identity

Health-ISAC recommends a Framework for Managing Identity (above) that addresses all of those capabilities; nevertheless, privacy and security problems also must be resolved. For instance, when a patient would like to allow the usage of EHI for somebody that he/she cares for, for instance, a senior relative or a minor kid, that should also be possible. A patient should be able to assign access privileges when someone else is caring for him/her, and there must be proper authentication controls set up to support these requests. API-level security is additionally necessary. FHIR APIs are in the public domain, therefore they need to be protected after granting authorization.

Health-ISAC recommends that healthcare companies must undertake an identity-centric strategy to data sharing to resolve these problems. The most efficient means of mitigating the threat posed by these issues to companies is by means of implementing an advanced, robust, and safe identity infrastructure that could safely authenticate and allow users and incoming requests, implement the proper consent requests and properly control the usage of identities. This is precisely what the Health-ISAC framework is designed for.

In addition, Health-ISAC firmly advises employing multi-factor authentication, since this isn’t clearly demanded by the new ONC and CMS Regulations, assistance given by the government clearly points to using MFA. There are problems connected with not using MFA because of its value for authenticating. The HHS’ Office for Civil Rights (OCR) has penalized health institutions for HIPAA violations associated with insufficient authentication in past times. Health-ISAC has created a white paper called All About Authentication that details the best method for carrying out MFA.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at