• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

CIO: 3 Rules for Meeting ONC/CMS Interoperability, While Improving Cybersecurity

by Scott Galbari, CTO & Drew Ivan, Chief Product and Strategy Officer, Lyniate 12/31/2020 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
  • Scott Galbari, CTO, Lyniate
  • vital role health IT will play in controlling the spread of COVID-19.
    Drew Ivan, Chief Product and Strategy Officer, Lyniate

Healthcare data security has been a growing concern for CIOs for the last year or so, as hackers are increasingly targeting health information. Now, with a global pandemic forcing a shift to telemedicine and remote work, and new rules from the ONC and CMS introducing more regulatory burden, healthcare CIOs have more to manage than ever. Fortunately, it is possible to roll out new capabilities while simultaneously improving cybersecurity by following these three rules:

Rule 1: Think Like an Attacker

The coronavirus pandemic has forced healthcare providers everywhere to roll out new capabilities, processes, and workflows, such as telemedicine systems and new patient check-in procedures. These measures are being taken in addition to the necessary work being done to comply with the new mandates from ONC and CMS regarding patient data accessibility. Though these changes need to be implemented quickly, it’s important to follow cybersecurity best practices to avoid providing new openings for attackers. 

When a hacker sees new systems and processes being implemented, they are thinking about:

– What software is being introduced? Are there known vulnerabilities or frequently unpatched exploits associated with it?

– How are new endpoints being added and are they secure?

– Since the new ONC and CMS rules require publicly exposed FHIR APIs, how can those be attacked? Are there social engineering exploits that can provide a way around security?

– Are there ways to perpetrate identity fraud if a patient does not need to be physically present to receive healthcare?

This approach should lead to a cybersecurity plan that puts measures in place for each identified risk. By thinking like the adversary, it is possible to identify and lock down the possible attack vectors. 

Rule 2: Minimize the Attack Surface

Every way into an organization’s network needs to be secured, monitored, and maintained. The best way to make this process as efficient and fool-proof as possible is to minimize the number of ways into the network. 

This is especially difficult in light of the ONC and CMS rules, which require that clinical systems must share data through publicly available FHIR APIs. At first, this seems like a mandate to radically expand the organization’s attack surface. Indeed, this is precisely what happens if the straightforward approach of exposing every clinical system through public APIs is followed. 

A different approach, which provides the same capabilities and compliance with the rules, would be to route all API traffic through a central hub. Attaching all the clinical systems to a single point of API access provides a number of benefits:

– Most importantly, compliance is achieved while minimizing the new attack vectors.

– All traffic between clinical systems and the outside world can be monitored from a single place.

– The API hub can act as a façade that makes legacy systems compliant with the new rules, even if those systems lack native FHIR API capabilities.

The API hub need not be an expensive new component of the network architecture. Most healthcare organizations are already using a clinical integration engine to move HL7, XML, and DICOM traffic among their internal systems. The same technology can serve as an API hub. This is especially effective if a new instance of the integration engine is placed in an isolated part of the network without full access to other systems. 

Rule 3: Have an Expert Review the Defenses

Even for healthcare organizations with cybersecurity experts on staff, it can be worthwhile to bring in a cybersecurity consultant to cross-check new implementations. Novel threats are constantly shifting and emerging, making it nearly impossible for internal IT staff to keep up with the looming threats of ransomware hacks, while also adequately carrying out the day-to-day responsibilities of their jobs. For that reason, it makes sense to bring in a professional who focuses exclusively on security. It is also often useful to have an independent review from someone who is looking at the implementation from an outsider’s perspective. Independent consultants can provide the necessary guidance, risk assessments, and other security support, to set healthcare organizations up for success and operate more securely. 

Expanding an organization’s IT capabilities often means more exposure to risk, especially when implementations are subject to time constraints. However, given the value and importance of the data that’s being generated, transmitted, and stored, it is imperative not to let cybersecurity fall out of focus. By following best practices around design, implementation, and testing healthcare organizations can rise to meet the current challenges of the pandemic, address the mandates of the interoperability rules, and simultaneously improve data security measures. 


About Scott Galbari, Chief Technology Officer

As Chief Technology Officer for Lyniate, Scott leads the development and delivery of all products and services. Scott has been in the healthcare IT domain for the past twenty years and has experience in developing and delivering imaging, workflow, nursing, interoperability, and patient flow solutions to customers in all geographies. He was most recently the General Manager for multiple businesses within McKesson and Change Healthcare and started his career as a software developer.

About Drew Ivan, Chief Product & Strategy Officer

Drew’s focus is on how to operationalize and productize integration technologies, patterns, and best practices. His experience includes over 20 years in health IT, working with a wide spectrum of customers, including public HIEs, IDNs, payers, life sciences companies, and software vendors, with the goal of improving outcomes and reducing costs by aggregating and analyzing clinical, claims, and cost data.


  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: API, Change Healthcare, CMS, Cybersecurity, FHIR, Health IT, Health IT Interoperability, Healthcare Data, healthcare it, HIEs, HL7, IDNs, interoperability, Life Sciences, mckesson, ONC, Payers, Public APIs, risk, telemedicine

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Paradigm Shift in Diabetes Care with Studio Clinics: Q&A with Reach7 Founder Chun Yong

Most-Read

Medtronic to Separate Diabetes Business into New Standalone Company

Medtronic to Separate Diabetes Business into New Standalone Company

White House, IBM Partner to Fight COVID-19 Using Supercomputers

HHS Sets Pricing Targets for Trump’s EO on Most-Favored-Nation Drug Pricing

23andMe to Mine Genetic Data for Drug Discovery

Regeneron to Acquire Key 23andMe Assets for $256M, Pledges Continuity of Consumer Genome Services

CureIS Healthcare Sues Epic: Alleges Anti-Competitive Practices & Trade Secret Theft

The Evolving Role of Physician Advisors: Bridging the Gap Between Clinicians and Administrators

The Evolving Physician Advisor: From UM to Value-Based Care & AI

UnitedHealth Group Names Stephen Hemsley CEO as Andrew Witty Steps Down

UnitedHealth CEO Andrew Witty Steps Down, Stephen Hemsley Returns as CEO

Omada Health Files for IPO

Omada Health Files for IPO

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |