Presentation is loading. Please wait.

Presentation is loading. Please wait.

API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015.

Similar presentations


Presentation on theme: "API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015."— Presentation transcript:

1 API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015

2 API HEARING- STRAW MAN RECOMMENDATION 1 Healthcare SpecificNon-Healthcare Specific Panel 1: Healthcare Delivery Panel 2: HIT Vendors Panel 3: Consumer Technologies- 1 Panel 4: Consumer Technologies- 2 Providers: Selection TBD API Management: Selection TBD Consumer Tech: Selection TBD Consumer Tech: Selection TBD Payers: Selection TBD EHR Vendors: Selection TBD API Management: Selection TBD Services: Selection TBD Federal Partners: Selection TBD HIT Services: Selection TBD Social Media: Selection TBD Financial Sector: Selection TBD

3 Strawman’s Panel Questions: GENERAL QUESTIONS FOR ALL PANELS What are the perceived and actual privacy concerns or barriers to the adoption of APIs? – Related to current state laws or HIPAA – How can these concerns be mitigated/how are you addressing this? What are the perceived and actual security risks or barriers to the adoption of APIs? – How can these risks be mitigated/how are you addressing this? What protocols and standards are currently adopted for API Security? Please specify according to: – User Authentication; Access controls; Authorization – are there any gaps that exist? – Trusted connection; network security – Auditable action; logs; policies and procedures – Tamper-resistance; accuracy and reliability of data – Policies and procedures – Risk management practices 2

4 Strawman’s Panel Questions: GENERAL QUESTIONS FOR ALL PANELS – CONT. What protocols and standards do we need to adopt in the future for API Security? Are there specific terms of use? Are there specific terms of use as to privacy or security? If not those topics, what do the terms of use generally cover? – Are there any specific security or privacy considerations unique to the use of APIs in healthcare? 3

5 Strawman’s Panel Questions: HEALTHCARE DELIVERY Does your organization provide an API which is available directly or to third parties? If so: – Are they clinician-facing, or consumer-facing? – Are there specific terms of use regarding privacy or security? – Are there specific terms of use regarding other topics? If so, what is generally cover? – Who can get access to them? – Are there production deployments of these APIs? What are the workflow concerns or consideration with using APIs? 4

6 Strawman’s Panel Questions: HEALTHCARE DELIVERY – CONT. What are the concerns from the provider community as to the use of APIs with their CEHRTs? What are the concerns from the payer community as to the use of APIs with their payer systems? (FEDERAL SECTOR PARTNERS- if they are included) Are there liability and compliance implications from other federal agencies to consider? What challenges and/or barriers have you seen with the growth of APIs in your departments/agencies? 5

7 Strawman’s Panel Questions: HEALTH IT VENDORS What are the perceived and actual privacy concerns or barriers to the adoption of APIs? – Related to current state laws or HIPAA What are the perceived and actual security risks or barriers to the adoption of APIs? – (Take from security risks from above) Are there third party certifying authorities in non-healthcare industry that we can leverage? – EHR vendors? – Other third party companies or business associates? 6

8 Strawman’s Panel Questions: CONSUMER TECHNOLOGIES What are the perceived and actual privacy concerns or barriers to the adoption of APIs? – Related to current state laws or HIPAA – How can these risks be mitigated/how are you addressing this? Are there known liability implications with the use of APIs? – Chain of trust/ data ownership – Terms and conditions Are there known compliance implications with the use of APIs? What are the perceived and actual security concerns or barriers to the adoption of APIs? – (security risks from above) – How can these risks be mitigated/how are you addressing this? 7

9 Strawman’s Panel Questions: CONSUMER TECHNOLOGIES – CONT. Are there any well-known threats or vulnerabilities associated with APIs themselves that should be addressed (e.g. security engineering considerations/best practices)? – As APIs are gaining adoption, are there steps organizations need to take to mitigate any additional threat vectors to data? – Are these just specific to APIs in general? What might be unique/specific to healthcare? – How does the issuer of the API ensure that the API won’t become a tool used for malicious activity which could compromise the data source? How are APIs distributed in a way that the recipient/end-user of the API can trust the API is authentic? Are there existing metrics or is there a need to develop metrics to measure the maturity of security and privacy controls in the use of APIs? 8

10 Strawman’s Panel Questions: CONSUMER TECHNOLOGIES – CONT. How to improve consumer experience with the third party apps using the APIs: – User stories/use cases Is there a catalogue or store of tools that are built for the APIs for third parties to access? What is the fee structure generally accepted/what is industry standard in other sectors? Are there third party certifying authorities in non-healthcare industry that we can leverage? – i.e. Apple, Google, etc.? What challenges and/or barriers have you seen with the growth of APIs in your departments/agencies? 9

11 Strawman’s Panel Questions: CURRENT LAW/LEGAL ISSUES Are there various state vs. federal privacy and security laws that differ when it comes to the use of third party applications or other technologies that could apply to APIs in the future? What is currently the standard regulatory framework or legislation with the FTC covering the use of APIs/third party applications? – How does this differ from HIPAA privacy/security rules? Would these regulations supersede HIPAA for Covered Entities? (i.e. are they more stringent?) What other laws govern the non-CEs and Business Associates or third party application providers? – How does this differ from HIPAA privacy/security rules? 10

12 Strawman’s Panel Questions: OTHER INFO NEEDED: Provide background to the TF of the Transport and Standards Security Workgroup recommendations from March 2015 regarding RESTful API Security Considerations? FTC regulations and OCR authority governing the use of APIs and VDT capability 11


Download ppt "API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015."

Similar presentations


Ads by Google