- If interoperability is one half of the healthcare innovation story, security and privacy are the other, more challenging half. Interoperability in healthcare often involves sharing individual patient data, which often falls under HIPAA’s definition of Protected Health Information (PHI). So, if an app requests a member’s first name and address, both those fields are PHI-protected and need to be handled in a certain way.
- Providing data access to third parties whilst maintaining a semblance of privacy is an important and costly tradeoff. Moreover, the expectation with the newer regulations is to provide public access to certain types of information as APIs, which means those APIs need to be protected from common public attacks as well. The former is addressed in part by SMART on FHIR guidelines, which provide guidance on how OpenID Connect and other technologies can be used for API security. The latter needs to be addressed by complementary security features available in API management, such as rate limiting, script attack protection and security practices like encryption.