Interoperability rules largely welcomed, but potential privacy and security issues must be addressed, experts warn

US healthcare technology: Move to standardize APIs for patient data access receives mixed response

New rules giving patients better access to their medical data have been approved by the US Department of Health and Human Services (DHSS) – but experts warn that security may not be entirely sewn up.

Currently, many electronic health record contracts contain provisions that either prevent or are perceived to prevent the sharing of information related to the records in use, such as screenshots or video.

From the beginning of next year, though, health plans doing business in Medicare, Medicaid, CHIP, and federal exchanges will be required to share patients’ health data.

Meanwhile, a new API will allow developers to create apps allowing patients to access their own data, as well as integrating a health plan’s information with their electronic health record (EHR).

“Delivering interoperability actually gives patients the ability to manage their healthcare the same way they manage their finances, travel, and every other component of their lives,” says Don Rucker, national coordinator for health information technology.

“This requires using modern computing standards and APIs that give patients access to their health information and give them the ability to use the tools they want to shop for and coordinate their own care on their smartphones.”

Predatory apps and snake oil warning

The new rules are generally being welcomed – with reservations.

“I’m not sure diving in headfirst by giving patients apps to access their own healthcare records via mobile apps is a good idea,” says Paul Bischoff, privacy advocate for security research firm Comparitech.

“Patients might not know what they’re agreeing to when handing over permission to apps to access their health records. This could lead to predatory apps that leverage medical records to sell snake oil.”

Meanwhile, says Tim Mackey, principal security strategist with the Synopsys Cybersecurity Research Center, the nature of the US’ insurance-based healthcare system means that patients may need to be careful about the information they share.

“Given the sensitive nature of medical records, and the potential for a pre-existing condition to negatively influence future patient care, vetting of both app creators and medical data usage in care decisions are concerns,” he says.

“As consumers embrace apps as a proxy for physical identification and their mobile devices as a central store for their most sensitive data, both the security of those apps and the potential for compromise of a mobile device become increasing concerns.”

Much-needed security standard

According to the DHSS, similar apps already exist, in the form of Medicare Blue Button 2.0, which allows patients to securely connect their Medicare Part A, Part B and Part D claims and other data to apps and other tools.

More than 2,770 developers from over 1,100 organizations are working in the Medicare Blue Button 2.0 sandbox, it says, and 55 organizations have applications in production.

But, says David Jemmett, CEO and founder of security firm Cerberus Sentinel, it could be hard to implement a comprehensive security standard.

“As things stand currently, you don’t know if your portal has been checked for security standards unless there has been certification to meet a number of additional standards,” he says.

“Often the code itself goes unchecked and third-party companies can be building them for the interface, but there is no one to go line by line, ensuring security standards are met to certify the software.”


READ MORE EU to give €100bn MedTech industry a security health check