Assessing the Privacy, Security Vulnerabilities of APIs

Before patients can leverage application programming interfaces to access their healthcare data, as called for in the final Stage 3 electronic health record Meaningful Use rule, there are privacy and security issues that must be addressed.

Those are among the challenges that a new Health IT Policy Committee task force is attempting to tackle. The API task force, co-chaired by Harvard Medical School research faculty member Josh Mandel, M.D., and Cerner’s Director of Health Policy Meg Marshall, held its first two meetings last week to lay out the group’s agenda and work plan.

Ultimately, the goal is to provide the Office of the National Coordinator for Health IT with recommendations to help consumers leverage API technology to access patient data, while ensuring the appropriate level of privacy and security protection.

“As a technology, APIs can be subject to privacy and security vulnerabilities,” Mandel told the task force. While he pointed out that APIs are “fundamental to large scale data interoperability and are widely used in other industries,” the task force is seeking to “understand and address whether there are privacy and security issues unique to APIs for interoperable movement of health data, and if there are, prioritize how to address them.”

APIs, which allow a software program to access the services provided by another software program, were included in the Centers for Medicare and Medicaid Services’ final Stage 3 Meaningful Use rule to ensure that patients can electronically access their health information through view, download, and transmit capabilities as well as an API.

Also See: Final Stage 3 Rule Pits APIs against Patient Portals

“There are a few places in the Meaningful Use Stage 3 final rule where patient access and APIs are explicitly invoked,” said Mandel.

In addition, he noted that APIs are included in ONC’s 2015 Edition Certified EHR Technology rule which requires access to a Common Clinical Data Set via an API. To be certified for the API criteria, three privacy and security criterion must be met.

The task force will hold virtual hearing sessions next month to provide stakeholders an opportunity to voice concerns regarding APIs, and based on that feedback the task force will present final recommendations in an April 19 Joint Health IT Policy-Standards Committee meeting.

For reprint and licensing requests for this article, click here.