Understanding The Realities of API Security
ONC is short for “Office of the National Coordinator for Healthcare Information Technology.” The National Coordinator is an executive (as in “Presidential”) appointment that rolls up to the Secretary of the United States Department of Healthcare and Human Services. According to the ONC’s website, the organization is:
".. at the forefront of the administration’s health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care….ONC is the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information."
At the time of the hearing (January 26, 2016), the ONC and the American health IT community were in the midst of the third and final stage (Stage 3) of the the National Coordinator’s Meaningful Use initiative. One of the third stage’s intentions is to demonstrate interoperability of Electronic Health Records (EHR) and Electronic Medical Records (EMR) between dissimilar EHR/EMR systems. A typical use case would be that of a patient who is simultaneously under the care of several doctors from different practices and hospitals, all of whom (including the patient) need to a the global view of the patient’s care and progress.
APIs are, of course naturally suited to such situations where interoperability is a mandate. However, given the extreme sensitivity of EHR/EMR data and the way in which it is regulated by the Health Insurance Portability and Accountability Act (HIPAA), the health IT community is moving towards interoperability with extreme trepidation with one of its primary concerns being the state of the state of API security. As a result, the ONC formed an API Security and Privacy Task Force to dig deeper into the concerns and among other things, solicit testimony from a diverse set of domain experts.
The experts, including Berlind, were each given five minutes to orally address a list of non-industry specific questions regarding API security. The experts were also permitted to submit additional written material. This series consists of Berlind’s written testimony which he later condensed into a 5-minute oral presentation (captured in this series' conclusion). Each of the the Task Force’s questions is addressed by a separate part of the series. Before publishing this series on ProgrammableWeb, the questions were edited for headline fit and clarity and, in a handful of cases, Berlind has provided some additional information that he believes to be useful to ProgrammableWeb's audience. For example, he added some examples of API providers like Orange and Trustpilot that target developers-at-large as well as partners through separate API offerings (and in Orange's case, separate developer portals).