This document summarizes the risks to patient health records through unregulated APIs. It describes how regulations like HIPAA aimed to protect privacy but subsequent policies and incentives have unintentionally led to widespread accessibility of records through APIs and apps. Experts express concerns that further action is needed regarding data security, information blocking, and prioritizing interoperability to fully address these risks to millions of patient records.
5. “If it wasn’t complicated – it wouldn’t be allowed to happen. The
complexity disguises what’s happening. If it’s so complicated that you
can’t understand it – then you can’t question it.”
Michael Lewis
@danmunro
13. @danmunro
Dr. David Brailer
First ONC – 2004 to 2006
Dr. Bob Wachter: I asked Brailer … if he had still been ONC director in 2008, would he
have turned down the [HITECH ACT] $30 billion?
Dr. David Brailer: No, but I would have spent the money on standards, interoperability, a
‘Geek Squad’ to help with training and implementation, and creating a cloud-based ‘medical
Internet.’ I never would have spent money on direct subsidies to providers. We’ve built the
Frankenstein I was most afraid of.
Excerpt from: The Digital Doctor
By Dr. Bob Wachter (2015)
23. @danmunro
2014 2015 2020 2021
Information Blocking
Effective: April 5
[Normative – 2019]
80M Records
$16M Fine [2016]
Information Blocking
Introduced
24. @danmunro
“Although the rule acknowledges the tension between data security and
authentication procedures [acknowledging that the OAuth 2.0 standard for
Health IT Modules’ implementation of an API is susceptible to cross-
site request forgery vulnerabilities] it also cautions certified Health IT
Modules against requiring patients to reauthorize or reauthenticate with such
frequency that it would be considered information blocking.”
25. @danmunro
PLAYING WITH FHIR
[October, 2021]
The vulnerability findings in FHIR mobile apps and APIs accessed via the
aggregators and developers were innumerable.
With one patient engagement app, the API endpoint sent me all the patient
and clinician records in its database, indicating it was using the mobile app
to filter out just my record.
26. @danmunro
Dinner tonight with multiple digital health app CEOs: One EHR has
literally turned off App Store access to new apps for at least . . . TWO
months. Off
Another EHR said “21CC prevents them from sharing data with apps”
Still so far to go . . . but we can fix this!
7:57 PM · Mar 29, 2022 Twitter for iPhone
27. @danmunro
“I might be lambasted for this, but … to be completely frank, I have problems
with the information blocking provisions. They represent excellent regulatory
policy when judged solely on intent, but, taken more practically, miss on
advancing our national posture. They don’t fundamentally change a whole lot,
given the exceptions, and really just reinforces HIPAA rights that already existed.”
Brendan Keeler
PM @ Zus Health
November, 2021
Note: Until October 2022 – EHI under IB is a subset of PHI under HIPAA.
28. @danmunro
Dr. Micki Tripathi
11th ONC – 2021 to Present
“I don’t even like the term ‘information blocking.’
I don’t know how much information blocking is really out there, but I don’t think most of it
is malicious in nature. It’s more that providers are not prioritizing the sharing of information.
It’s not high on the list, so they’re just doing the bare minimum to avoid penalties without
really investing in making interoperability a core part of their business model.”
March, 2022
32. @danmunro
Jeffrey Wheatman
Sr. VP, Cyber Risk Evangelist
“I believe it’s fairly unlikely that cyber insurance will continue to pay off significant damages
as a result of cyber claims and, for the most part, is going to be primarily used for simple
things such as paying postage for breach notification mailings, paying for incident response
and postmortem investigations.”
A Fight For Coverage
Cyber Insurance Risk in 2022
33. @danmunro
• #HC Needs APIs – But #HC Data is unique
• Security is a BIG Cost
• #FHIR is a GREAT Resource/Standard
• But standards can’t be ‘voluntary’