Understanding FHIR Protocol
Information security vs. interoperability under the FHIR Protocol and the future of the healthcare industry
January 11, 2023
Healthcare organizations are starting 2023 under the umbrella of the ONC Cures Act Final Rule, stipulating the adoption of standardized programming to exchange information.
Some of these companies and their IT departments have already adapted while others are scrambling to properly implement Fast Healthcare Interoperability Resources (FHIR) or FHIR-based application programming. The catch is designing a FHIR-compliant protocol that both entitles patients to access and download their health information using secure, patient-facing applications no matter where their data is stored while also keeping up with modern consumer demands for an easy interface.
FHIR is a project nearly 10 years in the making, and its universal adoption is a tall order for an industry in which more than 50% of healthcare leaders were unfamiliar with the fundamental goals of the Cures Act half a decade after it was signed into law in 2016.
In the meantime, patients are marching forward with demands for improved convenience and security in accessing their health information. In 2021, 90% of the world’s population used a mobile device to go online, and over half of all internet traffic that year came from mobile devices. As time goes on, the pressure for mobile digital access grows, with 70% of consumers willing to switch companies (or even healthcare providers) in order to gain an improved digital experience.
As the snowballing FHIR protocol and Cures Act policies transform into an avalanche, healthcare organizations are submerged in a complex and rapidly changing regulatory environment. But compliance doesn’t need to be as tricky as it sounds. Identity proofing and authentication solutions can solve most (if not all) of the challenges that healthcare leaders face.
A Framework for Understanding the FHIR Protocol
The regulatory environment for healthcare IT is tumultuous at best. Organizations are struggling to take action and move forward; they are torn between competing priorities to make digital health information simultaneously more accessible and more secure, especially given rising incidences of identity fraud.
A better reference point is a contextual understanding of the underlying vision behind these changes and how that overall view has been translated into concrete goals, concepts, and objectives within the healthcare IT space.
Policymakers and healthcare business leaders knew, at the turn of the 21st century, that it was only a matter of time before technological innovations and big data would transform their industry. The challenge came with so much sensitive information and complexity to navigate and the absence of a single, centralized set of protocols for how to transition health data into a digital environment. This fear of complexity kept the advancement of a universal health records system siloed for more than a decade. But by the early 2010s, the ultimate vision had been encapsulated within a single term: “interoperability.”
Interoperability implies a degree of compatibility amongst organizations and shareholders in the healthcare industry, allowing for rapid and secure sharing of health records and information. The catch is that it’s much easier said than done.
If interoperability is the goal, information blocking is the antithesis of that goal. Information blocking happens when a provider or healthcare organization refuses to share certain information with another organization, or, sometimes, even the patient. More than 55% of health information exchange organizations were engaging in information blocking as late as 2021, effectively stopping patients and other providers from seeing to see things like:
- Consultation notes
- Discharge summary notes
- Procedures notes
- Progress notes
- Imaging report narratives
- Lab report narratives
- Pathology report narratives
- History and Physical (H&P) examinations
Under FHIR, not sharing any of these items is against protocol, and can lead to negative patient outcomes.
Understandably, there are several exceptions to information blocking, including exceptions required to ensure privacy and security when fulfilling requests to access, exchange, or use EHI (Electronic Protected Health Information).
Application Programming Interfaces
Policymakers have targeted application programming interfaces (APIs) to achieve interoperability and prevent the unnecessary blocking of information. APIs enable otherwise incompatible computer programs and applications to communicate efficiently and securely with one another.
It’s important to understand that APIs are developed from an authoritative set of rules, or protocols, that define what the interface looks like when two programs or applications interact. Those API protocols must be established before software developers can build them. Regulations must revolve around the rules and protocols governing the development of these APIs to facilitate interoperability in the healthcare industry.
The FHIR Protocol, the CURES Act, and the Final Rule (A Timeline)
Since each healthcare organization develops its own unique applications and IT infrastructures tailored to how it stores and accesses health information, the FHIR protocol, the CURES Act, and the recent Final Rule all involve API development protocols for how these programs should interface.
Initial FHIR Protocol Established (Early 2012)
In response to growing pressure for digitized health data and information sharing, decision makers began developing the FHIR Protocol in 2012. These standards for API development are intended to minimize and eliminate barriers to the exchange of healthcare data. FHIR is based on general internet tenets already in use in other industries and eases the burden on developers by providing them with a clear direction about how they can best support the IT needs of the healthcare industry.
Sounds simple enough, right? By specifying how varying computer systems should share information, the FHIR protocol is paving the way for more modernized, lightweight processes capable of sharing health records in real time.
The FHIR protocol centers around a handful of objectives and benefits for software developers:
- To lower barriers to entry for software developers
Technology advances quickly, and policymakers recognize the need for an IT infrastructure within the healthcare industry that is capable of keeping up with the pace. The FHIR protocol entices software developers to enter the space by dictating that the fundamental building blocks be free to use and accompanied by no restrictions. Additionally, online specifications are concise and simple, ensuring that developers easily understand them.
- To provide an array of free, easily accessible online tools and resources
This includes reference servers, implementation libraries, and out-of-the-box interoperability resources that can be used as-is or tailored to the organization’s unique needs.
When it comes to cybersecurity and information sharing, developers in the IT health space have an especially challenging environment to navigate. The liminal space between information blocking and IT vulnerabilities is narrow and constantly changing, meaning that healthcare organizations and providers must be vigilant about shifting requirements and minimum necessary standards of care.
- Global implementation support
In addition to the abundant resources and tools available, the FHIR protocol also assembles a digital community to foster collaboration for faster software development and implementation.
As a result of the FHIR protocol’s implementation, the growing body of software development tools, resources, and online communities has given rise to a robust ecosystem of applications, servers, and other critical bits of infrastructure that collectively are meeting the demands of the healthcare IT sector.
Cures Act Signed into Law (2016)
Near the end of his tenure, President Barack Obama signed the 21st Century Cures Act, more commonly referred to as the “Cures Act.” This legislation dramatically improved how digital health information is shared and stored by permitting interoperable systems to facilitate those processes.
The Cures Act applies to healthcare providers and organizations as well as developers of certified health IT and health information exchanges and networks (HIEs and HINs). Any developers working in the healthcare IT space must carefully navigate how to protect and safeguard information without being at risk of causing “information blocking” issues.
The passing of the Cures Act represented a paradigm shift in how the U.S. healthcare sector was expected to store, access, and share information.
21st Century Cures Act Final Rule (2020)
Once the Cures Act was signed, responsibility for further defining its provisions passed to the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare & Medicaid Services (CMS). These agencies produced two sets of rules described as “the most extensive healthcare data sharing policies the federal government has implemented.”
- In 2020, CMS released its Interoperability and Patient Access Final Rule, intended to improve patient access to their own health information through application programming interfaces (APIs).
- And on the final day of 2022, the ONC Cures Act Final Rule went into effect, requiring the adoption of standardized, FHIR-based APIs throughout the healthcare industry
The ONC also outlines precisely how patients can expect to use those APIs:
- The patient first downloads and logs into the app using a username and password.
- The patient uses the application to create a secure link to the API designated by the healthcare provider’s EHR (Electronic Health Record).
- The application’s information request is channeled through the API to the healthcare providers’ EHR.
- The EHR validates the request and sends back the healthcare data onto the patient’s application.
- The patient now has access to that health information via the application and can merge it with health information from other sources, creating a centralized place for accessing healthcare data.
Thanks to the 21st Century Cares Act Final Rule, patients are now entitled to access and download all of their health data using their chosen patient-facing API-enabled applications.
Challenges of Implementing the FHIR Protocol
As you can imagine, efforts toward implementing this series of rules and protocols have been plagued by several operational challenges.
1.Lack of understanding and awareness in the healthcare industry
Many healthcare executives, and even those within healthcare IT, are uninformed about how the rules are used and implemented. For example, an April 2021 survey regarding these new rules showed that almost 50% of the 4,000 healthcare industry leaders who responded were unfamiliar with the concept of “information blocking.”
2. Security concerns
Identity fraud is on the rise, with consumers losing $5.8 billion to fraudsters in 2021, representing a 70% increase from the year before. Reports of identity fraud are only getting worse as cybercriminals develop increasingly sophisticated methods for illegally exploiting the digital environment. As one might expect, healthcare consumers are especially concerned about how FHIR APIs might leave them vulnerable to unauthorized parties seeking to steal information. For that reason, member participation has been fairly low overall, meaning that API vulnerabilities and technical issues have not yet been exposed, making the selection of API technologies especially risky for healthcare organizations planning out heavier investments into integrations.
3. Misalignment and competing priorities
While the intention behind these various policy initiatives highlights a degree of forethought and vision about the future of healthcare IT, collectively, these efforts are disorganized. The inevitable result is competing priorities; organizations want to provide easy, real-time access to health information while ensuring that the information is kept secure and released only to verified users authorized to access that information.
Identity Verification, Identity Authentication, and a Path Forward Under the FHIR Protocol
As we take a closer look at the unique software design consideration for APIs, it becomes clearer that these issues are not so difficult to overcome.
Although identity verification (also known as identity proofing) and identity authentication are often considered synonymous, in the cybersecurity and IT worlds, they have very different meanings:
- Identity verification involves confirming whether or not an identity exists.
- Identity authentication confirms that a user is the person or entity they claim to be.
Processes for accomplishing these two aims are very different, and identity verification procedures are easier for cybercriminals to bypass compared to identity authentication processes.
Due to rising fraud losses, there is a need for improved identity authentication practices, which involve more complex and dynamic systems than standard identity verification processes. Authentication entails a far more dynamic and evolving set of identity proofing processes. Even once an identity has been verified, organizations must remain vigilant: establishing, through user behavior and device usage, that the unique user interaction has not been compromised in any way is critical.
Since the entire purpose of APIs within the FHIR protocol and the CURES Act Final Rule is information sharing, developers must keep two critical priorities in mind: security and performance. When it comes to REST APIs, the most flexible and high-performing APIs currently in existence, access is secured using two primary layers of security:
- API keys, which are used to verify that the program or application making the API call actually exists.
- Authentication tokens, which authorize users by making sure that they are who they claim to be. This is a much more complex and robust layer of security than API keys, making it much more difficult for cybercriminals to fool.
Even instituting these two layers of security is not enough to keep up with modern demands on healthcare organizations. While sophisticated identity verification and identity authentication solutions offer the strongest protection against fraud, they can also come with downsides, especially when it comes to rising consumer expectations.
A 2021 study found that 61% of consumers had abandoned a transaction directly due to frustrations with overly cumbersome authentication processes. Since users have already expressed concerns over the possibility that healthcare organizations could inadvertently share sensitive health data with unauthorized parties through the use of FHIR APIs, experts make clear that the only path forward is for these providers and application vendors to address challenges around regulatory compliance and information security while improving user experiences.
The solution, then, is for healthcare organizations to adopt the most sophisticated, FHIR-based APIs, which maximize both security and performance in line with the CURES Act Final Rule.
Your Partner in CURES Act and FHIR Protocol Compliance
At the heart of these challenges is the crucial need for trust in the healthcare industry as it undergoes these sweeping changes. Trust is precisely what healthcare organizations gain when they turn to identity solutions from Daon®.
IdentityX® is the world’s most versatile identity platform, performing over 250 million authentications daily and helping to secure over 1 billion identities globally.
Using Daon’s FIDO+ authentication, healthcare organizations gain the security and privacy of FIDO in conjunction with the enhanced capabilities of server-side biometrics. Put simply, IdentityX goes above and beyond just solving the challenges of FHIR and CURES Act compliance.
To learn more about how IdentityX is staying ahead of the digital healthcare curve, schedule a free demo today.