Traditional RESTful APIs Will Not Solve Healthcare’s Biggest Interoperability Problems

Traditional RESTful APIs Will Not Solve Healthcare's Biggest Interoperability Problems
Brian Platz, Co-CEO and Co-Chairman of Fluree

Interoperability is a big discussion in health care, with
new regulations requiring interoperability for patient data. Most approaches
follow the typical RESTful API approach that has become the standard method for
data exchange. Yet Health Level Seven (HL7), with its new Fast Healthcare Interoperability
Resources (FHIR) standard for the electronic transfer of health data, is
leading to a rash of implementations that, to date, are not solving core interoperability
issues. 

Data is still insecure, users can’t govern their own health
records, and the need for multiple APIs for different participants with
different rights (human and machine) in the network is adding unneeded
expenditures to an already burdened healthcare system. The way out is not to
add more middleware, but to upgrade the basic tools of interoperability in a
way that finally brings healthcare
technology
into the 21st century.  

A Timely Policy 

Doctors, hospitals, pharmacists, insurance providers,
outpatient treatment centers, labs and billing companies are just a few of the
parties that comprise the overcomplicated U.S. healthcare system. 

In digitizing medical files, as required by the 2009 Health
Information Technology for Economic and Clinical Health (HITECH) Act, providers
have adopted whatever solution was most convenient. This has led to the mess of
interoperability
issues that HL7 seeks to remedy with FHIR. 

Existing Electronic Medical Records
(EMR)
systems do not easily share data. Best case, patients have to sign
off to share data with two incompatible systems. Worst case, information must
be turned into a physical CD or document to follow the patient between
providers. Data security is also notoriously poor. Hackers prioritized the healthcare sector as their main target in 2019; breach
costs exceeded $17.7 billion.

The New Infrastructure Rush

When common formats, by way of FHIR and HL7, provided
standards and solutions to empower global health data interoperability, the
industry erupted into a flurry of activity. Thousands of healthcare databases
are now being draped in virtual construction tarps and surrounded by digital
scaffolding. 

Building a new, interoperable data ontology for the entire
healthcare system is a massive undertaking. For one, 80% of hospital data is
managed using the cryptic, machine-language HL7 Version 2. Most of the rest
uses the inefficient, dated XML data format. HL7 FHIR promotes the use of more
modern data syntaxes, like JSON and RDF (Turtle). 

Secondly, databases have no notion of the new FHIR schema.
Armies of developers must build frameworks and middleware to facilitate interoperability.
This is why Big Tech incumbents including Google Cloud Healthcare, Amazon AWS
and Microsoft for Healthcare are jumping into the fray with their own
solutions. 

The outcome, once HL7’s 22 resources are fully normative, will
be seamless information sharing, electronic notifications, and collaboration
between every player in the giant web of patients, providers, labs, and
middlemen. But it will come at a steep cost in the current traditionally RESTful
API-based manner that is being broadly pursued. 

The Problem with APIs

The new scaffolding is expensive, takes data control away
from patients, and is not inherently secure. The number of unique APIs required
to support the access, rights and disparate user base in the healthcare network
are the reason. 

Interoperability requires a common syntax and “language” to
enable databases to talk to each other. The average traditional API costs up to
$30,000 to build, plus half that cost to manage annually. That is not to
mention the cost to integrate and secure each API. A small healthcare
organization with only 10 APIs faces costs of $450,000 annually for basic API
services. 

When you consider that most big healthcare organizations will
need to connect thousands of APIs, HL7’s interoperability schema really is the
best way forward. The traditional API tooling to manage the interoperability of
the well-framed data structures, however, is the problem. 

Moreover, the patient, the rightful owner of their own
health record, still doesn’t have the ability to govern their own data. Because
change only happens in the database itself, the manager of the database, not
the patient, controls the data within. 

In the best case, this puts an additional burden on patients
to give explicit permission every time health records move between providers.
In the worst case, a provider sees an entire medical history without a
patient’s consent–your podiatrist seeing your psychiatric records, for
example.

Finally, each API enables one data store to talk to the
next, opening opportunities for bad actors to make changes to databases from
the outside. The firewalls that protect databases and networks are penetrable,
and user profiles are sometimes created outside of the database itself, making
it possible to expose, steal and change data from outside the database. 

In that light, HL7 is paving the wrong road with good
intentions. But there is another way. 

Semantic Standards and Blockchain to the Rescue

If you eliminate data APIs, secure interoperability, with
data governance fully in the hands of the patient, becomes possible. Healthcare
data silos will be replaced with a dynamic, trusted and shared data network
with privacy and security directly baked in. The solution involves adding
semantic standards for full interoperability, blockchain for data governance
and data-centric security. 

Semantic standards, such as RDF formatting and SPARQL
queries, let users quickly and easily gain answers from multiple databases and
other data stores at once. Relational databases, the ones currently in use in healthcare,
are all formatted differently, and need API middleware to talk to one another.
Accurate answers are not guaranteed. Semantic standards, on the other hand,
create a common language between all databases. Instead of untangling the
mismatched definitions and formatting inevitable with relational databases,
doctors’ offices, for example, could easily pull in pertinent patient records,
insurance coverage, and the latest research on diseases.

Patients, for their part, would use blockchain to regain control
of their data. Patients would be able to turn on aspects of their data to
specific caregivers, instead of relinquishing control to database business
managers, as is currently the case. Your podiatrist, in other words, will not
be able to see your psychiatric records unless you choose to share them. 

The data ledger, which lives on the blockchain, will contain
instructions as to who can update (writer new records on) the ledger, who can
read it, and who can make changes. All changes are controlled by private-key
encryption that is in the hands of the patient; only those with authorization
can see select histories of health data (or, as in the case of an ER doctor,
entire histories, with permission). 

Data security is controlled in the data layer itself,
instead of through middleware such as a firewall. Data can be shared without
API, thanks to those semantic standards, and data are natively embedded with
security in the blockchain. Compliance, governance, security and data
management all become easier. Data cannot be stolen or manipulated by an
outside party, the way it commonly is by healthcare hackers today. 

The interoperability conundrum, in other words, is solved.
Fewer APIs means fewer security vulnerabilities; a common, semantic standard
eliminates confusion and minimizes mistakes. Blockchain puts patients in
control of who sees what parts of their health records. Eliminating the need
for API middleware also saves tens of thousands of dollars, at a minimum.


About Brian Platz 

Brian is the Co-CEO and Co-Chairman of Fluree, PBC, a decentralized app platform that aims to remodel how business applications are built. Before establishing Fluree, Brian was the co-founder of SilkRoad technology which expanded to over 2,000 customers and 500 employees in 12 international offices.


Highmark Inks 6-Year Partnership with Google Cloud to Power Living Health Model

Highmark Health Inks 6-Year Partnership with Google Cloud to Power Living Health Model

What You Should Know:

– Highmark Health signs six-year strategic partnership agreement
with Google Cloud to transform the health experience for patients and
caregivers through the development of Highmark Health’s new Living Health
Model

– The Living Health model is designed to eliminate
the fragmentation in health care by re-engineering the healthcare delivery
model with a more coordinated, personalized, technology-enabled experience.


Highmark Health and Google Cloud today announced a six-year strategic partnership to build and maintain the innovation engine behind Highmark’s Living Health model. The agreement includes the development of the Living Health Dynamic Platform, which will be designed to help overcome the complexities and fragmentation within the healthcare industry.

Re-engineering The Healthcare Delivery Model

Highmark’s Living Health model is designed to eliminate the fragmentation in health care by re-engineering the healthcare delivery model with a more coordinated, personalized, technology-enabled experience. In addition to offering seamless, simpler, and smarter interactions with patients, the Living Health model is designed to free clinicians from time-consuming administrative tasks while providing them with timely data and actionable information about each patient. Living Health is not just focused on improving the patient-clinician relationship, it is about changing the way health care delivery operates.

“The Living Health model is about improving each person’s health and quality of life, every day,” commented Dr. Tony Farah, executive vice president and chief medical and clinical transformation officer of Highmark Health. “The traditional health care system is too fragmented and for the most part reactive. The Living Health model takes the information and preferences that a person provides us, applies the analytics developed with Google Cloud, and creates a proactive, dynamic, and readily accessible health plan and support team that fits an individual’s unique needs.”

Living Health Model
Powered by Google Cloud

Highmark Health will lead the collaboration to build its
Living Health Dynamic Platform on Google Cloud. Key elements of the agreement
include:

– The construction of a highly secure and scalable platform
built on Google Cloud

– The application of Google Cloud’s advanced analytic and
artificial intelligence capabilities to supercharge Highmark Health’s existing
clinical and technology capabilities

– The engagement of a highly skilled professional services
team that will collaborate to drive rapid innovation

– The use of Google Cloud’s healthcare-specific solutions, including the Google Cloud Healthcare API, to enable rapid innovation, interoperability, and a seamless Living Health experience.

Highmark Health will control access and use of its patient
data using rigorous long-standing organizational privacy controls and
governance, which will be enhanced through the creation of a joint Highmark
Health-Google Cloud Data Ethics and Privacy Review Board to ensure that uses of
data are consistent with prescribed ethical principles, guidance, and customer
expectations of privacy.

Why It Matters

The strategic partnership reflects Highmark Health’s vision for a remarkable health experience by moving care and disease management of clinical conditions beyond traditional care settings through an engaging digital experience. By providing the insights needed to enable timely interventions, people will be empowered to proactively manage their health. For example, specific outcomes could include proactive intervention based on timely and individual patient data; digital disease management; easily accessible, personalized health plans; and centralized scheduling and management of care teams.

Economic Impact of Partnership

Approximately 125 new jobs are being created at Highmark Health to support the development of the Living Health Dynamic Platform, specifically in the areas of application development, cloud-based computing architectures, analytics, and user experience design.  

MEDITECH Launches New Subscription-Based Cloud Platform Built on Google Cloud

MEDITECH Launches New Subscription-Based Cloud Platform Built on Google Cloud

What You Should Know:

– Today, MEDITECH announced MEDITECH Cloud Platform—a
suite of solutions available to healthcare organizations of all sizes that
further extend the possibilities of the Expanse EHR.

– This offering includes: Expanse NOW, High Availability
SnapShot, and Virtual Care solutions, all created to work naturally in the
cloud, and available through a subscription model.


Today MEDITECH
introduced MEDITECH Cloud Platform—a suite of solutions available to healthcare
organizations of all sizes that further extend the possibilities of the Expanse
Electronic Health Record
(EHR)
.  Multiple MEDITECH Cloud
Platform solutions are built on Google Cloud, enabling healthcare organizations
to further personalize their EHR in a way that is secure, reliable, and easy to
maintain.

Subscription-Based Cloud Model

Healthcare organizations can select one or a combination of
the solutions from MEDITECH Cloud Platform. The flexibility of the subscription
model enables a quick setup as well as the ability to add solutions as needed.
Additionally, the cloud combined with the subscription model provides
opportunities to add solutions in the future.

MEDITECH Cloud Platform Offerings

The all-new MEDITECH Cloud Platform offering includes: Expanse NOW, High
Availability SnapShot
, and Virtual Care
solutions, all created to work naturally in the cloud, and available through a
subscription model:

Expanse NOW is a mobility app that empowers
physicians to manage everyday tasks and coordinate care on their smartphone
device. Integrated with Expanse, tasks and messages can flow between workload
and the app in real time.

High Availability SnapShot provides healthcare
organizations with immediate access to key patient data in the event of
unexpected or planned downtime. Patient information such as medications,
allergies, orders, and more is backed up securely and accessible via
cellular-connected devices.

Virtual Care gives new and existing patients access
to urgent virtual care on demand through the healthcare organization’s website,
as well as the ability to schedule virtual visit appointments. New patients who
request Virtual Care are automatically enrolled in the Patient Portal,
connecting them to the organization and in turn, enabling organizations to grow
their business.

Leveraging Google Cloud’s Capabilities

The Expanse NOW and High Availability SnapShot solutions
leverage Google Cloud’s core capabilities including compute and storage (as
well as their healthcare-specific data, analytics, security, and identity
management solutions) alongside existing on-prem solutions to provide high
availability and continuity of care in a secure and scalable service. They can
be easily accessible to critical care staff to improve healthcare continuity
across MEDITECH-powered healthcare organizations.

For more information about the MEDITECH Cloud platform,
visit here.

Google Cloud Launches Healthcare Interoperability Readiness Program

Google Cloud Launches Healthcare Interoperability Readiness Program

What You Should Know:

– Google Cloud launches Healthcare Interoperability
Readiness Program to help healthcare organizations achieve healthcare data interoperability.


Today,
Google Cloud launched the Google Cloud Healthcare Interoperability Readiness
Program, helping organizations achieve data interoperability in advance of
upcoming HHS deadlines and to enable future innovation. Alongside partners like Bain, BCG, Deloitte, HCL,
KPMG, SADA, and more, the Healthcare Interoperability
Readiness Program will help healthcare organizations understand the current status
of their data and where it resides, map out a path to standardization and
integration, and make use of data in a secure, reliable, compliant manner.

Google Cloud Interoperability Readiness Program

This program provides a comprehensive set of
services for interoperability, including: 

HealthAPIx Accelerator provides
the jumpstart for the interoperability implementation efforts. With best
practices, pre-built templates and lessons learned from our customer and
partner implementations, it offers a blueprint for healthcare stakeholders and
app developers to build FHIR API-based digital experiences.

Apigee API Management provides the underpinning and enables a security and governance layer to deliver, manage, secure and scale APIs; consume and publish FHIR-ready APIs for partners and developers; build robust API analytics, and accelerate the rollout of digital solutions.

Google Cloud Healthcare API enables
secure methods (including de-identification) for ingesting, transforming,
harmonizing, and storing your data in the latest FHIR formats, as well as HL7v2
and DICOM, and serves as a secondary longitudinal data store to streamline data
sharing, application development, and analytics with BigQuery. 

– Interoperability toolkit that includes solution architectures, implementation guides, sandboxes, and other resources to help accelerate interoperability adoption and streamline compliance with standards such as FHIR R4. 

COVID-19 Pandemic Underscores Drive to Accelerate
Interoperability

“With COVID-19 underscoring the importance of even more data sharing and flexibility, the next few years promise to accelerate data interoperability and the adoption of open standards even further—ideally ushering in new and meaningful partnerships across the care continuum, new avenues for business growth, and new pathways for patient-centered innovation,” stated in the announcement blog post.  

3 Telemedicine Security and Compliance Best Practices

3 Telemedicine Security and Compliance Best Practices
Gerry Miller, Founder & CEO at Cloudticity

The coronavirus pandemic accelerated telemedicine exponentially as patients and doctors switched from in-person visits to remote consultations. Health providers rapidly scaled virtual offerings in March and April and traffic volumes soared to unprecedented levels, with practices “seeing 50 to 175 times the number of patients by telehealth than before the outbreak,” according to McKinsey. By early August, the U.S. Department of Health and Human Services expanded the list of allowable telehealth services in Medicare and there was an executive order supporting permanent telehealth provisions for rural areas.

But the surge in telemedicine adoption comes with a host of cybersecurity risks and regulatory compliance requirements unique to the healthcare sector.

As telemedicine traffic increases, so does the volume of hacking attempts. Recent cybersecurity news indicates healthcare organizations are top targets for cyberattacks and “providers remain the most compromised segment of the healthcare sector, accounting for nearly 75 percent of reported breaches.” The consequences are chilling: “The average cost of a healthcare data breach is $7.13 million globally and $8.6 million in the United States.

Further, whenever patient information is involved, HIPAA compliance is required. While HHS temporarily suspended pursuing HIPAA penalties on providers for “good faith provision of telehealth during the COVID-19 nationwide public health emergency,” such permissiveness will not last.

Luckily, most telemedicine providers can utilize managed services and cloud infrastructure to keep pace. Here are some best practices to meet IT compliance and cybersecurity demands for telemedicine.

Telemedicine Compliance Best Practices

Compliance should be viewed as a real-time process that drives security. Telemedicine tools and technology should therefore reflect significant expertise with all healthcare regulations (HIPAA, HITRUST, HITECH), with compliance functions permeating processes. Recommended compliance best practices include:

1. Automate Remediation

Healthcare applications cannot offer high reliability if every potential compliance problem is remediated manually; there’s just too much that can go wrong and never enough staff to address it when needed. The solution is to automate everything that can be automated, and rely on people to handle exceptions or potential violations that don’t impact reliability. Cloud-based services can integrate AI and operational intelligence to automatically remediate anomalies when possible, present recommendations to operations staff for cases that cannot be resolved automatically, and present clear choices such as:

·         Do Nothing: Take no action, delete ticket after [x number of days]

·         Fix Now: Implement the recommended actions immediately

·         Schedule: Perform the recommended actions during the next maintenance window

This approach speeds resolution and decreases service disruptions, and improves the reliability of telemedicine delivery. The automated response also plays a critical role in security (which will be discussed shortly).

2. Perform Formal Risk Assessments

Understanding the risk level and specific risk issues are critical components for an effective compliance plan. Many providers of healthcare services underestimate their level of risk, in part because it is difficult to quantify. The HHS has published guidance in its Quantitative Risk Management for Healthcare Cybersecurity, which offers insight. There are also cloud solutions that can aid the process. Cloud services providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud offer automated security assessment services that help improve the security and compliance of applications deployed on their cloud hosting platforms. They can generally assess applications for exposure, vulnerabilities, and deviations from best practices. A good inspection service should highlight network configurations that allow for potentially malicious access, and produces a detailed list of findings prioritized by level of severity.

3. Reduce Attack Surface

To provide secure access to sensitive information, hybrid architectures supporting telemedicine applications need a virtual private network (VPN) gateway between on-premises and cloud resources. However, developers, test engineers, remote employees, and others who need access to cloud-based protected health information (PHI) may bypass a VPN gateway by either cracking open the cloud firewall to allow direct unencrypted internet traffic or using peering connections. To prevent such potential exposures, secure desktop-as-a-service (DaaS) solutions provide an elegant way to allow cloud-based access to PHI without exposing connections or records. A DaaS is generally deployed within a VPC providing each user with access to persistent, encrypted cloud storage volumes using an encryption key management service. No user data is stored on the local device, which reduces overall risk surface area without impeding development capability.

Telemedicine Security Best Practices

While the full scope of cybersecurity strategies is beyond the scope of this article, here are three best practices that telemedicine providers can use bolster their security profile:

1. Deploy Proactive Network Security

Modern cyber threats have become steadily more sophisticated in evading traditional security measures and more devastating once they penetrate network perimeters. For that reason, telemedicine providers need a highly proactive, multilayered approach to prevent malware-based outages, theft of intellectual property, and exfiltration of protected health information (PHI).

A combination of network anti-malware, application control, and intrusion prevention systems (IPS) is recommended. Such proactive solutions are generally bundled in managed cloud services that should automatically detect suspicious system changes in real-time, isolate and quarantine affected resources, and prevent the spread of exploits by locking down any server whose configuration differs from the installed settings.

2. Encrypt Data Storage

Data encryption is the last line of cyber-defense for PHI and other critical information. Even if an attacker can penetrate the perimeter and proactive network security and exfiltrate data from the provider, those data are useless to the hacker if encrypted. It’s good practice to encrypt all web and application servers running on cloud instances using a unique master key from a key management service when creating volumes.

Encryption operations generally occur on the servers that host cloud database (DB) instances, ensuring the security of both data-at-rest and data-in-transit between an instance and its block storage. For additional protection, you can also opt to encrypt DB instances at rest, underlying storage for DB instances, its automated backups, and read replicas.

3. Harden Operating Systems

Both Microsoft Windows Server and Linux are ubiquitous operating systems in telemedicine. They are also both attractive targets for cybercriminals because they provide complex capabilities, frequently remediate vulnerabilities, and are so common (increasing attackers’ chances of finding an unpatched system). Hackers use OS-based techniques such as remote code execution and elevation of privilege to take advantage of unpatched operating system vulnerabilities. Hardened images of Windows Server and Linux virtual machines (VMs) should be used, employing default configurations recommended by the Center for Internet Security (CIS). Such hardened images make gaining OS administrative extremely difficult, and coordinate well with proactive security bundles described earlier.

Additional resources for telemedicine compliance and security are available from the American Medical Association (AMA), the US Department of Homeland Security, the U.S. Department of Health and Human Services, and HITRUST.

 While these best practices are targeted primarily at telemedicine companies, they can also be applied to a wide range of healthcare providers and organizations delivering vital services in the face of 2020’s dramatic swings in demand.


About Gerry Miller

Gerry Miller is the founder and chief executive officer at Cloudticity. He is a successful serial entrepreneur and healthcare fanatic. From starting his first company in elementary school to selling his successful technology consulting firm in 1998, Gerry has always marched to his own drummer, producing a series of successes. Gerry’s first major company was The Clarity Group, a Boston-based Internet technology firm he founded in 1992. Gerry presided over seven years of 100% aggregate annual growth and sold the company in 1998 when it had reached $10MM in revenue.

He was recruited by Microsoft to become their Central US Chief Technology Officer, eventually taking over a global business unit and growing its revenue from $20MM to over $100MM in less than three years. Gerry then joined ePrize as Chief Operating Officer, where he grew sales 38% to nearly $70MM while improving operating efficiency, quality, and both client and employee satisfaction. Gerry founded Cloudticity in 2011 with a passion for helping healthcare organizations radically reshape the industry by unlocking the full potential of the cloud.

Health in 2 Point 00, Episode 145 | Amwell, OneDrop, Outset Medical & Podimetrics

Today on Health in 2 Point 00, Jess asks me about the big news that Google Cloud has entered into a partnership with Amwell and invested $100 million into the company—looks like their IPO is really a thing! OneDrop gets $98.7 million in a partnership with Bayer, following at $40 million partnership last November, in a funding and development agreement. Outset Medical files their S1 and is going to go public, looking for $100 million for their portable dialysis system, and finally Podimetrics raises another $8 million for their foot ulcer detection platform for diabetics. —Matthew Holt