• COVID-19
  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • Artificial Intelligence
    • Blockchain
    • Mobile Health
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage

CIO: 3 Rules for Meeting ONC/CMS Interoperability, While Improving Cybersecurity

by Scott Galbari, CTO & Drew Ivan, Chief Product and Strategy Officer, Lyniate 12/31/2020 Leave a Comment

  • Scott Galbari, CTO, Lyniate
  • vital role health IT will play in controlling the spread of COVID-19.
    Drew Ivan, Chief Product and Strategy Officer, Lyniate

Healthcare data security has been a growing concern for CIOs for the last year or so, as hackers are increasingly targeting health information. Now, with a global pandemic forcing a shift to telemedicine and remote work, and new rules from the ONC and CMS introducing more regulatory burden, healthcare CIOs have more to manage than ever. Fortunately, it is possible to roll out new capabilities while simultaneously improving cybersecurity by following these three rules:

Rule 1: Think Like an Attacker

The coronavirus pandemic has forced healthcare providers everywhere to roll out new capabilities, processes, and workflows, such as telemedicine systems and new patient check-in procedures. These measures are being taken in addition to the necessary work being done to comply with the new mandates from ONC and CMS regarding patient data accessibility. Though these changes need to be implemented quickly, it’s important to follow cybersecurity best practices to avoid providing new openings for attackers. 

RELATED:   Advanced ICU Care Rebrands as Hicuity Health

When a hacker sees new systems and processes being implemented, they are thinking about:

– What software is being introduced? Are there known vulnerabilities or frequently unpatched exploits associated with it?

– How are new endpoints being added and are they secure?

– Since the new ONC and CMS rules require publicly exposed FHIR APIs, how can those be attacked? Are there social engineering exploits that can provide a way around security?

– Are there ways to perpetrate identity fraud if a patient does not need to be physically present to receive healthcare?

This approach should lead to a cybersecurity plan that puts measures in place for each identified risk. By thinking like the adversary, it is possible to identify and lock down the possible attack vectors. 

Rule 2: Minimize the Attack Surface

Every way into an organization’s network needs to be secured, monitored, and maintained. The best way to make this process as efficient and fool-proof as possible is to minimize the number of ways into the network. 

This is especially difficult in light of the ONC and CMS rules, which require that clinical systems must share data through publicly available FHIR APIs. At first, this seems like a mandate to radically expand the organization’s attack surface. Indeed, this is precisely what happens if the straightforward approach of exposing every clinical system through public APIs is followed. 

A different approach, which provides the same capabilities and compliance with the rules, would be to route all API traffic through a central hub. Attaching all the clinical systems to a single point of API access provides a number of benefits:

– Most importantly, compliance is achieved while minimizing the new attack vectors.

– All traffic between clinical systems and the outside world can be monitored from a single place.

– The API hub can act as a façade that makes legacy systems compliant with the new rules, even if those systems lack native FHIR API capabilities.

The API hub need not be an expensive new component of the network architecture. Most healthcare organizations are already using a clinical integration engine to move HL7, XML, and DICOM traffic among their internal systems. The same technology can serve as an API hub. This is especially effective if a new instance of the integration engine is placed in an isolated part of the network without full access to other systems. 

Rule 3: Have an Expert Review the Defenses

Even for healthcare organizations with cybersecurity experts on staff, it can be worthwhile to bring in a cybersecurity consultant to cross-check new implementations. Novel threats are constantly shifting and emerging, making it nearly impossible for internal IT staff to keep up with the looming threats of ransomware hacks, while also adequately carrying out the day-to-day responsibilities of their jobs. For that reason, it makes sense to bring in a professional who focuses exclusively on security. It is also often useful to have an independent review from someone who is looking at the implementation from an outsider’s perspective. Independent consultants can provide the necessary guidance, risk assessments, and other security support, to set healthcare organizations up for success and operate more securely. 

Expanding an organization’s IT capabilities often means more exposure to risk, especially when implementations are subject to time constraints. However, given the value and importance of the data that’s being generated, transmitted, and stored, it is imperative not to let cybersecurity fall out of focus. By following best practices around design, implementation, and testing healthcare organizations can rise to meet the current challenges of the pandemic, address the mandates of the interoperability rules, and simultaneously improve data security measures. 


About Scott Galbari, Chief Technology Officer

As Chief Technology Officer for Lyniate, Scott leads the development and delivery of all products and services. Scott has been in the healthcare IT domain for the past twenty years and has experience in developing and delivering imaging, workflow, nursing, interoperability, and patient flow solutions to customers in all geographies. He was most recently the General Manager for multiple businesses within McKesson and Change Healthcare and started his career as a software developer.

About Drew Ivan, Chief Product & Strategy Officer

Drew’s focus is on how to operationalize and productize integration technologies, patterns, and best practices. His experience includes over 20 years in health IT, working with a wide spectrum of customers, including public HIEs, IDNs, payers, life sciences companies, and software vendors, with the goal of improving outcomes and reducing costs by aggregating and analyzing clinical, claims, and cost data.


Tagged With: API, Change Healthcare, CMS, Cybersecurity, FHIR, Health IT, Health IT Interoperability, Healthcare Data, healthcare it, HIEs, HL7, IDNs, interoperability, Life Sciences, mckesson, ONC, Payers, Public APIs, risk, telemedicine

[ultimatesocial networks="facebook,twitter,google,linkedin,mail" url="" custom_class="us-posts-bottom" align="left" count="false"]

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

« 30 Executives Share Top Healthcare Predictions & Trends to Watch in 2021
2020’s Top 20 Digital Health M&A Deals Totaled $50B »

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Recent Articles

  • Hurdle Secures $5M for Digital Mental Health Platform for People of Color

    Hurdle Secures $5M for Digital Mental Health Platform for People of Color

    ... more
  • West Virginia Launches Nation’s First Statewide COVID-19 Vaccine Distribution Deployment

    West Virginia Launches Nation’s First Statewide COVID-19 Vaccine Distribution

    ... more
  • Onyx, AMA Innovations Form Collaboration to Build FHIR-Based Messaging

    Onyx, AMA Innovations Form Collaboration to Build FHIR-Based Messaging

    ... more
  • op 5 business opportunities for digital health companies in 2021. Where is the money?

    Top 5 Business Opportunities for Digital Health Companies in 2021. Where Is The Money?

    ... more

Most Read

  • 30 Executives Share Top Healthcare Predictions & Trends to Watch in 2021 30 Executives Share Top Healthcare Predictions & Trends to Watch in 2021
  • Intelligent Automation of the Revenue Cycle: How an Integrated Platform Approach Yields Financial Results Intelligent Automation of the Revenue Cycle: How an Integrated Platform Approach Yields Financial Results
  • 20 COVID-19 Predictions and Trends for 2021 - Executive Roundup 20 COVID-19 Predictions and Trends for 2021 – Executive Roundup
  • 16 COVID-19 Predictions and Trends for 2021 Executive Roundup 12-Available-COVID-19-Vaccine-Management-Solutions-to-Know-In-Depth-1 22 Recently Launched COVID-19 Vaccine Management Solutions to Know
  • Job Titles for Healthcare Executives The Top 9 Most In-Demand Medical Jobs
  • FDA Approves COVID-19 Oral Fluid Test for Use Nationwide In-Depth: 32 FDA-Approved COVID-19 Testing Kits
  • Fundamental Surgery Becomes First VR Surgical Training Simulation to Gain CPD Accreditation 18 Healthcare Augmented Reality and Virtual Reality Companies to Watch
  • CVS Health Launches Senior Medical Alert System, Symphony CVS Health Launches Senior Medical Alert System, Symphony
  • 5G in Healthcare: 7 Advantages & Disadvantages for Providers to Know 5G in Healthcare: 7 Advantages & Disadvantages for Providers to Know
  • West Virginia Launches Nation’s First Statewide COVID-19 Vaccine Distribution Deployment West Virginia Launches Nation’s First Statewide COVID-19 Vaccine Distribution

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • 2020 Editorial Calendar
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2021. HIT Consultant Media. All Rights Reserved. Privacy Policy |