H-ISAC Releases CISO Guide for Identity-Centric Data Sharing

November 29, 2021 - Health-ISAC released new guidance to help CISOs navigate interoperability, patient access, and identity-centric data sharing under the 21st Century Cures Act. New interoperability mandates under the Cures Act require healthcare organizations to implement APIs to promote the digitization of electronic health information (EHI).

“While APIs are the ‘door’ to enabling interoperability of EHR between healthcare organizations, strong identity solutions are the ‘key’ that keeps EHI secure,” the guide explained.

Specifically, the Act depends on APIs that operate on the Fast Healthcare Interoperability and Resources (FHIR) standard. The FHIR standard was developed by nonprofit standards group Health Level 7 (HL7) and was created to allow patients to easily access data through a third-party application of their choice.

“These new interoperability mandates pose significant challenges, not the least of which is ensuring that new systems deployed to enable information sharing do not create new security concerns,” the guide stated.

“Digital identity is front and center in these new interoperability architectures, given the importance of ensuring that only the right people can access sensitive EHI.”

In order to maintain security while promoting interoperability and remaining in compliance with the 21st Century Cures Act, H-ISAC recommended that CISOs adopt an identity-centric approach to patient data sharing.

Although the interoperability mandates help patients get access to their health data more easily, many identity-related security issues may arise in the process. For example, it can be difficult for patients to securely delegate access and authorize use of EHI on behalf of a child or elderly relative. In addition, given that FHIR APIs will be publicly available, organizations must develop an approach to secure them after authorization is granted.

“The most effective way of mitigating the risk that these issues pose to organizations is through the implementation of a modern, robust, and secure identity infrastructure that can securely authenticate and authorize users and incoming requests, enforce the appropriate consent requests, and tightly govern the use of identities,” the guide continued.

H-ISAC recommended that organizations address some key functions tied to identity, including authentication and access, authorization, governance and administration, and patient matching.

Additionally, H-ISAC stressed the importance of using multi-factor authentication (MFA) to maintain cybersecurity. The Office of the National Coordinator for Health Information Technology (ONC) do no explicitly mandate MFA, but it is strongly encouraged. HHS’s Office for Civil Rights (OCR) has previously fined healthcare organizations for HIPAA violations relating to inadequate authentication, providing yet another reason for organizations to implement MFA.

A robust identity structure can help organizations go beyond compliance and actually enable them to launch new health apps and services in a secure way, streamline EHI exchange workflows, and empower patients to have control over their health data.

“Identity is a journey,” the guide emphasized. “As the healthcare industry focuses on digital adoption, identity will continue to play a foundational role. Whether your implementation of a modern identity system is driven by regulatory and compliance requirements, security and privacy concerns, or a desire to improve customer experience, a well-architected, robust digital identity solution can address all of these drivers.”