A strong sense of optimism permeated the recent third annual Redox Healthcare Interoperability Summit in Boston. Attendees from all walks of healthcare life– innovators, clinicians, executives and entrepreneurs from vendor and provider organizations– shared ideas and discussed current efforts to push towards a solution to the elusive healthcare interoperability challenge.
In his opening remarks, Redox Co-founder and President Niko Skievaski echoed his common mantra about interoperability in healthcare, “In healthcare, we don’t have an innovation problem, but rather a technology adoption problem.” He reflected on the beginnings of the company with only seven people and its growth to 180 in 25 states to date. When Redox started, he said, the question was “how can we provide infrastructure so there is no point-to-point integration?” Niko and his fellow co-founders, Luke Bonney and James Lloyd, realized their path to help vendor startups implement their technology into health systems. APIs paved the way as they built up what Redox calls “the network effect.” Currently, 600+ healthcare organizations in the U.S. are connected to Redox, which is certainly a proof point in the company’s goal to make healthcare data useful.
The first panel of the summit was moderated by Shahid Shah, publisher of Netspective Media and dug into topics surrounding health data and interoperability. Jitin Asnaani, executive director of CommonWell, Adam Landman, MD, CIO of Brigham & Women’s Hospital, and our own product marketing guru Paige Goodhew contributed to the lively exchange. Interoperability has more definitions than syllables. These experts described the landscape, the efforts at play, and how to navigate them.
Asnaani started off by stating that data should follow the patient. This was a common thread throughout the day as future discussions looked at data blocking. The panel agreed that in 2020 we’ll see major regulations in a variety of sectors that, unlike in the past, will be worth paying attention to.
Landman said opportunities to exchange healthcare data are growing at such a substantial rate, providers now have multiple avenues from which to pull patient records from other systems, and they are overwhelmed with health data. EHR vendors have opened the door to greater data sharing within their own products, which has contributed to interoperability. And organizations, like CommonWell, make healthcare data from different systems available on a vendor-neutral network to patients and providers.
Goodhew made it clear that EHR vendors are moving toward greater interoperability because patients are asking for it. She also stated the industry currently has the right people to solve the interoperability problem. Shah agreed and said the big tech companies are looking to enter the market but not necessarily lead it.
Landman added the issue of data privacy to the conversation. In addition to dealing with the massive volume of data and understanding what we can and cannot share, he stressed that healthcare organizations must also be prepared to take ownership of security and privacy regulations. Everyone agrees patients should own data, but we must do it in a way that keeps the data safe. How we reconcile data ownership is important to addressing security issues.
Security and privacy matters
As a great follow on to the security issues discussed in the first panel, Ben Waugh, Redox CSO, and Taylor Lehmann, athenahealth CSO, devoted their session to a deeper dive into breaking down the security barrier for interoperability. Lehmann said healthcare cybersecurity should be making interoperability easier. While EHRs are designed to stay closed, Lehmann urged EHR vendors and providers to embrace a more open data platform and find ways to view security as a data-sharing enabler. The healthcare community must focus on how to securely make the data trustworthy, accurate, and available.
Lehmann also offered ways for app developers to build an effective security program. The first step is to select a cybersecurity standard to follow, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Second, vendors should pick a secure testing methodology, such as BSIMM (Building Security in Maturity Model). There are opportunities to achieve security certifications, such as the Health Information Trust Alliance (HITRUST) Common Security Framework.
Healthcare organizations should understand threats to their business and where their valuable data resides. Common practice includes purple teaming to get a sense of how well the organization’s defense is performing, as well as conducting a risk assessment of third-parties. Three security approaches healthcare organizations should also be doing to help stop the majority of cyberattacks are: patching, multi-factor authentication, and good email hygiene. The strategy needs to be: detect first, respond second.
New Rules & Regs
Nick Hatt, a developer at Redox, then took to the podium to talk about one of his favorite topics, the Zen of federally mandated APIs. He began with the conclusions:
- Proposed rules are designed to make data sharing easier and more costly for those who prevent it
- Giving patients access to their data is thought by many to be a game-changer, but it may never take off.
He assured participants that Redox is committed to standardization and making new APIs work painlessly.
FHIR is an evolution of HL7’s existing offerings, but it doesn’t overcome a number of very important problems—some of which may be solved eventually, while others remain a problem. FHIR relies on EHRs to implement, but it also relies on health systems (the ones who buy EHR software) to actually turn the functionality on.
For an EHR developer, molding the internal data of the EHR to FHIR is a lot of extra work, and despite the improvement, FHIR has made to standard iteration time, a vendor-specific API can move an order of magnitude faster. Economics might ultimately be the undoing of FHIR and HL7, and if API consumers are happier connecting to vendor-specific APIs, then FHIR will not catch on with the future of cloud-based digital health applications.
The biggest risk to FHIR, according to Hatt, is a return to a lack of standards. Interest in EHR vendor “app stores” has sparked new questions around the value of standards in the world of open EHRs. No doubt EHR vendors are watching carefully which services applications flock to—the FHIR-backed ones or EHR-specific ones.
Patients authorizing the use of data to apps and third parties will be a new frontier. But that will elicit debate about what kinds of controls we’ll need. We’re entering an era where HIPAA will not be the only game in town to determine the flow of healthcare information and stipulate how personally identifiable information (PII) maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft.
The Trusted Exchange Framework and Common Agreement (TEFCA), released on April 19, 2019, is the third legislation which outlines a common set of principles, terms, and conditions to support the development of a Common Agreement that would help enable the nationwide exchange of electronic health information across health information networks. It is still a proposed rule so it’s too early to celebrate, but in effect, Congress said to the ONC, everyone can have an onramp to share data.
FHIR alone will not lead to widespread disruption of the healthcare IT space. Giving patients access to their data will be a game-changer. Let’s hope it takes off.