Presentation is loading. Please wait.

Presentation is loading. Please wait.

API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015.

Published byPhilippa Jefferson Modified over 9 years ago

Similar presentations

Presentation on theme: "API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015."— Presentation transcript:

1 API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015

2 API HEARING- STRAW MAN RECOMMENDATION 1 Healthcare SpecificNon-Healthcare Specific Panel 1: Healthcare Delivery Panel 2: HIT Vendors Panel 3: Consumer Technologies- 1 Panel 4: Consumer Technologies- 2 Providers: Selection TBD API Management: Selection TBD Consumer Tech: Selection TBD Consumer Tech: Selection TBD Payers: Selection TBD EHR Vendors: Selection TBD API Management: Selection TBD Services: Selection TBD Federal Partners: Selection TBD HIT Services: Selection TBD Social Media: Selection TBD Financial Sector: Selection TBD

3 Strawman’s Panel Questions: GENERAL QUESTIONS FOR ALL PANELS What are the perceived and actual privacy concerns or barriers to the adoption of APIs? – Related to current state laws or HIPAA – How can these concerns be mitigated/how are you addressing this? What are the perceived and actual security risks or barriers to the adoption of APIs? – How can these risks be mitigated/how are you addressing this? What protocols and standards are currently adopted for API Security? Please specify according to: – User Authentication; Access controls; Authorization – are there any gaps that exist? – Trusted connection; network security – Auditable action; logs; policies and procedures – Tamper-resistance; accuracy and reliability of data – Policies and procedures – Risk management practices 2

4 Strawman’s Panel Questions: GENERAL QUESTIONS FOR ALL PANELS – CONT. What protocols and standards do we need to adopt in the future for API Security? Are there specific terms of use? Are there specific terms of use as to privacy or security? If not those topics, what do the terms of use generally cover? – Are there any specific security or privacy considerations unique to the use of APIs in healthcare? 3

5 Strawman’s Panel Questions: HEALTHCARE DELIVERY Does your organization provide an API which is available directly or to third parties? If so: – Are they clinician-facing, or consumer-facing? – Are there specific terms of use regarding privacy or security? – Are there specific terms of use regarding other topics? If so, what is generally cover? – Who can get access to them? – Are there production deployments of these APIs? What are the workflow concerns or consideration with using APIs? 4

6 Strawman’s Panel Questions: HEALTHCARE DELIVERY – CONT. What are the concerns from the provider community as to the use of APIs with their CEHRTs? What are the concerns from the payer community as to the use of APIs with their payer systems? (FEDERAL SECTOR PARTNERS- if they are included) Are there liability and compliance implications from other federal agencies to consider? What challenges and/or barriers have you seen with the growth of APIs in your departments/agencies? 5

7 Strawman’s Panel Questions: HEALTH IT VENDORS What are the perceived and actual privacy concerns or barriers to the adoption of APIs? – Related to current state laws or HIPAA What are the perceived and actual security risks or barriers to the adoption of APIs? – (Take from security risks from above) Are there third party certifying authorities in non-healthcare industry that we can leverage? – EHR vendors? – Other third party companies or business associates? 6

8 Strawman’s Panel Questions: CONSUMER TECHNOLOGIES What are the perceived and actual privacy concerns or barriers to the adoption of APIs? – Related to current state laws or HIPAA – How can these risks be mitigated/how are you addressing this? Are there known liability implications with the use of APIs? – Chain of trust/ data ownership – Terms and conditions Are there known compliance implications with the use of APIs? What are the perceived and actual security concerns or barriers to the adoption of APIs? – (security risks from above) – How can these risks be mitigated/how are you addressing this? 7

9 Strawman’s Panel Questions: CONSUMER TECHNOLOGIES – CONT. Are there any well-known threats or vulnerabilities associated with APIs themselves that should be addressed (e.g. security engineering considerations/best practices)? – As APIs are gaining adoption, are there steps organizations need to take to mitigate any additional threat vectors to data? – Are these just specific to APIs in general? What might be unique/specific to healthcare? – How does the issuer of the API ensure that the API won’t become a tool used for malicious activity which could compromise the data source? How are APIs distributed in a way that the recipient/end-user of the API can trust the API is authentic? Are there existing metrics or is there a need to develop metrics to measure the maturity of security and privacy controls in the use of APIs? 8

10 Strawman’s Panel Questions: CONSUMER TECHNOLOGIES – CONT. How to improve consumer experience with the third party apps using the APIs: – User stories/use cases Is there a catalogue or store of tools that are built for the APIs for third parties to access? What is the fee structure generally accepted/what is industry standard in other sectors? Are there third party certifying authorities in non-healthcare industry that we can leverage? – i.e. Apple, Google, etc.? What challenges and/or barriers have you seen with the growth of APIs in your departments/agencies? 9

11 Strawman’s Panel Questions: CURRENT LAW/LEGAL ISSUES Are there various state vs. federal privacy and security laws that differ when it comes to the use of third party applications or other technologies that could apply to APIs in the future? What is currently the standard regulatory framework or legislation with the FTC covering the use of APIs/third party applications? – How does this differ from HIPAA privacy/security rules? Would these regulations supersede HIPAA for Covered Entities? (i.e. are they more stringent?) What other laws govern the non-CEs and Business Associates or third party application providers? – How does this differ from HIPAA privacy/security rules? 10

12 Strawman’s Panel Questions: OTHER INFO NEEDED: Provide background to the TF of the Transport and Standards Security Workgroup recommendations from March 2015 regarding RESTful API Security Considerations? FTC regulations and OCR authority governing the use of APIs and VDT capability 11

Download ppt "API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015."

Similar presentations

Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March 11, 2015.

Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March 11, 2015.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,

Voice over the Internet Protocol (VoIP) Technologies… How to Select a Videoconferencing System for Your Agency Based on the Work of Watzlaf, V.M., Fahima,
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
NCVHS Panel 6 WEDI Testimony on Health Plan Identifier June 10, 2014 Laurie Darst, Mayo Clinic, Revenue Cycle Regulatory Advisor WEDI Board of Directors.

NCVHS Panel 6 WEDI Testimony on Health Plan Identifier June 10, 2014 Laurie Darst, Mayo Clinic, Revenue Cycle Regulatory Advisor WEDI Board of Directors.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Interoperability Roadmap Comments Package Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair February 24, 2015.

Interoperability Roadmap Comments Package Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair February 24, 2015.
Capability Cliff Notes Series PHEP Capability 6—Information Sharing What Is It And How Will We Measure It?

Capability Cliff Notes Series PHEP Capability 6—Information Sharing What Is It And How Will We Measure It?
Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.

Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.
Security Controls – What Works

Security Controls – What Works
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.

HITSP – enabling healthcare interoperability 1 enabling healthcare interoperability 1 Standards Harmonization HITSP’s efforts to address HIT-related provisions.
Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.

Security of Computerized Medical Information: Threats from Authorized Users James G. Anderson, Ph.D. Purdue University.
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.

Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.
Privacy and Security Workgroup: Big Data Public Hearing December 8, 2014 Deven McGraw, chair Stan Crosley, co-chair.

Privacy and Security Workgroup: Big Data Public Hearing December 8, 2014 Deven McGraw, chair Stan Crosley, co-chair.
SMART GRID: Privacy Awareness and Training – for PUCs/PSCs A Starting Point December 2011 SGIP-CSWG Privacy Group 1 DRAFT.

SMART GRID: Privacy Awareness and Training – for PUCs/PSCs A Starting Point December 2011 SGIP-CSWG Privacy Group 1 DRAFT.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Similar presentations

Ads by Google