3 takeaways from ONC’s session on innovation and security

The Office of the National Coordinator for Health Information Technology is looking for new ways to promote app security as part of its goal of interoperability in health IT.

ONC has hosted a slate of listening sessions at the 2017 HIMSS conference in Orlando, Florida as a way to reach out to industry stakeholders for ideas, concerns and roadblocks to interoperability.

As the agency promotes the use of application program interfaces to securely share health information, here are three issues from the session to consider:

Who’s responsible for the information?

While app developers are striving to make their products both able to handle the data and share it with other tools, the question arose of who takes responsibility for making that data secure.

While interface security has been integral, stakeholders questioned whether ONC should set standards on how developers should store or format data to make it more secure from intrusion.

Is cybersecurity an institutional problem?

Another issue that arose was the feeling that cybersecurity is an institutional responsibility, rather than an individual one, resulting in a siloed approach to security and inhibiting interoperability.

Some stakeholders felt that for developers, the cost of making these systems transparent and compatible is higher that the fallout of a cyber breach.


Security Branch Chief Mikki Smith said that the office is currently working with the National Institute of Standards and Technology an on identity management framework and other framework projects in tandem to drive interoperability.

The use of use cases

When ONC officials asked what stakeholders wanted to see more of in terms of outreach, some called for more use cases to inform developers how they might apply data findings to their apps.

Some stakeholders called for more guidance from the government on the security features developers should include in their apps.

Acting Chief Privacy Officer Deven McGraw said that certain groups, like the HEART Working Group and HIMSS, were already working toward privacy and security specifications for APIs, and the health IT community would be best served to build on each other’s work.

"There lots of sort of pockets of work going on these same issues that we definitely want to connect to so that we are supporting one another and leveraging one another’s learning and not reinventing the wheel," she said.

Recommended for you
Around The Web