How to mitigate middleware security vulnerabilities
Middleware has great potential for mitigating healthcare IT interoperability issues. However, because it mediates network services to applications, middleware can also create major security issues—possibly enough to offset any benefits.
A need for healthcare providers to have easy access to patient data fueled the push for the widespread adoption of electronic health records (EHR) systems. In the days of paper records, patients would often show up at doctors’ offices or, worse yet, hospital emergency rooms with no paper trail; if they had never been to that facility before, their medical records were not available, leaving their new providers scrambling to treat them with an incomplete or non-existent medical history.
The goals of EHR systems were to increase the quality of patient care and reduce medical errors and costs by making patient medical data accessible to all healthcare providers they saw, regardless of where they were located or whether the patient had seen them before.
It was a grand idea meant to transform healthcare as we knew it, but things didn’t work out quite that way. There is no one “standard” EHR system; numerous software manufacturers compete in this market space and interoperability between them remains a challenge, for numerous reasons. In a recent report, the Government Accountability Office (GAO) outlined five barriers to EHR interoperability.
- Insufficient standards for health data
- Variations in state privacy rules
- The inability of software to consistently and accurately match the correct records to the correct patient
- The need to establish consistent governance standards and trust among different healthcare organizations
EHR data blocking, where vendors charge data-access fees or prohibit any applications outside of their own proprietary systems from accessing patient data, also poses a problem, and legislation has been introduced in an attempt to address it.
Under pressure from healthcare organizations and the federal government, medical software providers began seeking ways to meet federal interoperability standards and abide by anticipated anti-data blocking laws. For inspiration, software developers looked to industries such as retail, banking, and manufacturing, which have long faced similar challenges related to linking data located in disparate systems. By far, the most promising solution that emerged was middleware.
Middleware tools sit between the operating system and applications on different servers, simplifying the development of applications that leverage services from other applications and allowing communication between applications that would be too complex to otherwise link together. In a healthcare IT environment, middleware is used to connect existing software, such as EHRs, with enterprise applications or web services, so that the EHR systems can securely communicate. Multiple systems can be connected without regard to system compatibility and without requiring organizations to build new frameworks.
Healthcare middleware has many benefits. It easily integrates with the older legacy systems many organizations run; it reduces costs and data duplication; it extends the lifespans of expensive EHR systems; and it is a proven technology that has been used successfully for years in the finance, retail, and manufacturing industries. If implemented properly, middleware will allow for user interfaces to be standardized across EHR systems, which will improve safety and be much easier for front-line healthcare workers to use.
However, if proper cyber security measures are not taken, middleware tools also pose significant risks.
By its nature, middleware allows applications on different servers to communicate and share data. Any time different systems are permitted to communicate with each other, possible security vulnerabilities arise. The greatest risk posed by middleware occurs when the applications supported by the middleware are sensitive or the middleware is on a platform where sensitive information is processed or stored – both of which are the case in healthcare IT environments. This enables the middleware to create a secondary path for malware, thus opening the door for hackers to access both EHR applications and patient data.
To reduce these risks, middleware developers need to take the three primary steps to building secure applications.
Optimize network security.
Network security is the first line of defense for middleware tools; no matter how many security measures are built into a middleware tool, they cannot make up for an insecure network. Developers can bolster network security by using application-specific overlay networks to compartmentalize both user access and data. This reduces the risk of information being accessed by unauthorized users or compromised while en route between components.
Additionally, since most data breaches are the result of login credential misuse, networks must be continually monitored for anomalous activity, such as a user logging in from an unusual location or attempting to access parts of the system they do not need in order to perform their job.
Establish middleware security practices within the application lifecycle management (ALM) process
Middleware security must be integrated into the ALM process. Specific security protocols must be established, and middleware and application components, whether brand-new or upgraded, should never be integrated into a system until they have been fully tested and authenticated to meet them.
Add incremental security to middleware tools and interfaces
Middleware security, like all information security, is never done. New threats are constantly emerging, and middleware tools will need to be upgraded and patched to address them. Developers can start by studying the security features of the existing middleware tools on the market. Even if the security measures of a particular product would not meet their needs or specific data environment, they can provide a good starting point.
The push for interoperability between EHR systems is not going away. The Medicare Access and CHIP Reauthorization Act (MACRA) requires that healthcare systems and providers achieve widespread interoperability by the end of 2018. The Defense Authorization Act not only requires DoD and VA interoperability on the same timeline but is also withholding some program funds until agencies can produce plans to achieve it. And, at the recent HIMSS16 conference, HHS Secretary Sylvia Mathews Burwell announced a major commitment to interoperability among major EHR providers, including industry titans Epic and athenahealth.
Middleware is the most promising and most cost-effective solution, but developers need to ensure that middleware tools do not put patient data at risk in the name of interoperability.