The healthcare industry requires a complex coordination between patients, healthcare providers, insurance carriers and third-party vendors. It wasn’t long ago that interoperability between these parties were managed through phone calls, faxes and couriers. With the emergence of Electronic Health Records (EHR), the focus has shifted to digital interoperability.
EHRs offer a digital version of a patient’s paper chart that makes information available to authorised users in a rapid and secure manner. But even with EHRs to digitise patient records, interoperability has been difficult. The emergence of standards are helping to define clear interoperability through REST-based APIs. Yet, there are still challenges ahead for any organisation that is involved in hosting and consuming healthcare APIs. This article provides a brief background on current API trends and challenges in the healthcare industry. It also examines how a thoughtful API management strategy can help overcome many of these challenges.
The changing landscape of the healthcare industry
Anyone that has visited a large healthcare practice has experienced the efficiency of sharing patient health records, diagnostic labs, and other insights between physicians within the same practice. However, when moving outside of this practice, communication becomes more difficult, requiring time and manual processes to migrate patient records properly.
Healthcare APIs help to bridge this gap through the use of standards-based interoperability and are essential to any digital strategy. Healthcare APIs offer the secure exchange of critical data between providers, payers and third-party vendors. They empower efficient user interfaces and analytics platforms that provide important decision making. APIs also help to share critical information to those that need it, such as a patient’s insurance coverage for a procedure. No longer is a provider’s staff forced to wait in a phone queue to determine coverage and copayments. APIs power the exchange of EHRs and integration between vendors.
Healthcare APIs offer a variety of digital capabilities including, but not limited to:
- Provider Directory – offers a provider directory for patients seeking to find a provider in their area
- Register Patient – creates a patient record
- Register Provider – creates a healthcare provider record
- Manage Patient Claims – tracks insurance claim status
In addition, APIs may be used within business intelligence (BI) platforms to create a comprehensive view of their patient(s). Directly integrating Internet of Things (IoT) APIs are also being explored, allowing data from devices to be directly integrated with a patient’s records.
Empowering healthcare with API standards: FHIR
APIs themselves don’t solve digital interoperability. The FHIR (Fast Healthcare Interoperability Resources) standard from HL7 defines how healthcare information can be exchanged between electronic systems. FHIR (pronounced “fire”) ensures interoperability between systems while allowing flexibility for data to be stored internally in any format. It defines these interoperability standards using REST-based APIs, allowing for the widest possible adoption.
Without standards such as FHIR, every new provider or vendor must integrate with every other healthcare system, increasing the costs exponentially. By using REST-based APIs for the common approach, interoperability is increased across internal systems, web apps and mobile devices.
FHIR has become a standard across the world, with many countries adopting the standard alongside implementation guides that help to bridge regional healthcare integration concerns. FHIR’s scope and priorities include prioritising implementation, providing a framework for interoperability, focusing on core capabilities with extensions where customisation is needed, and offering flexibility over strictness where appropriate.
The challenges of healthcare API management
An IDC InfoBrief titled “The Role of Customer Experience Networks in Delivering Value-Based Digital Transformation” indicated that at least 63% of healthcare services use APIs with business partners, customer supply chain, and directly with customers via web and mobile apps. However, healthcare services face several technical challenges when embarking on an API programme.
- Addressing security and regulatory requirements
The IDC InfoBrief identified that 59% of healthcare services are concerned about security and regulatory requirements surrounding their API. Given that the APIs are accessed by multiple stakeholders and integrated with third-party applications, a comprehensive security strategy is required, which includes authentication and authorisation preventing unauthorised access to data. Some regulatory requirements also state the need for proper logging of all API-based activity for the purposes of auditing and understanding the flow of data.
- Protecting data with data entitlements
Healthcare services are required to enforce restrictions on data access commonly referred to as data entitlements. These defined the level of access and what data system users are permitted to access. Once again, with multiple parties accessing the APIs, it is important to set the required governance defining what a user’s role entitles him/her to and more importantly, what it does not.
- Avoiding internal system overload
As the API programme grows and more integrations are established, internal systems may become overloaded. Implementing an appropriate policy to limit the number of calls made by API consumers is important to prevent internal systems from grinding to a halt under excessive load.
How API management platforms are enabling the healthcare industry
Effective API management ensures a single path into healthcare APIs. It enforces all policies for patient, provider and third-party system access. Proper API management also offers analytics into API usage, helping the API provider better understand and support the API capabilities used across their supply chain.
- Security and auditing
The use of an API management layer (APIM) helps to enforce security restrictions to prevent unauthorised access. Using the OAuth 2.0 framework alongside a comprehensive API security strategy, patients are able to securely access their data and even provide limited access to third-party vendors (known as three-legged authorisation). An API management platform also provides comprehensive logging across all requests between all devices and integrations. This logging is often necessary for regulatory auditing.
- Role-based access control (RBAC)
RBAC is a method of restricting access based on the roles of individual users within an organisation allowing users to have access rights only to the information they need and prevents them from accessing information they don’t. Coupled with custom plugins that extend and enhance data entitlement checks, before they reach the API server, an API management platform helps to deliver data from APIs quickly and safely.
- Reverse gateway capabilities
A reverse gateway limits data exposure when integrating with third parties by protecting all outbound traffic to third-party APIs. It is able to detect and decline outbound traffic if sensitive data is released.
- Rate-limiting and quotas
Rate-limiting defines the number of requests that can be made to an API during a specified time period. Quotas are similar to rate-limits but with larger time intervals. Together they help manage the load on the API server. The governing policies are flexible so that they may be adjusted to allow some integrations to make more frequent API calls while others to have lower limits and perhaps lower priority. Rate limiting may also be used to help control cloud infrastructure costs by preventing cloud resources from exceeding target monthly budgets.
Tyk is a leading cloud-native API and service management platform complete with an intuitive dashboard and a simple developer portal, both powered by an open source API gateway. In addition to the capabilities mentioned above, Tyk also provides:
- Support for Open Policy Agent (OPA) which enables the creation of custom permissions for different user roles
- Multi-data centre bridge(MDCB) which enables creation of multiple local API gateways in accordance with data sovereignty as well as HIPAA requirements, being managed through a central control plane.
With API adoption picking up in the healthcare industry making it easy to access information in a simple yet powerful way, the right tools like an API gateway coupled with a dynamic API programme could further drive growth and innovation in the industry.