How to Develop a Cures Act Compliant Health App Solution Using OAuth2 and OpenID

Pablo Bullian

Pablo Bullian

Posted on July 01, 2020

Health App Solution

On March 9, 2020, the ONC and CMS released updated rules for interoperability and patient access provisions of the bipartisan 21st Century Cures Act. The Cures Act, which was first signed into law on December 13, 2016, was designed to help accelerate medical product development. The Cures Act also included the creation of an interoperable network exchange, which enables the secure exchange and use of electronic health information. It allows for complete access, transfer, and use of all electronically accessible health information.

Within the 21st Century Cures Act lies the new ONC final rule. In order to facilitate patient access to electronic health information, this rule is seeking the use of the SMART Application Launch Framework, OAuth2, and OpenID standards.

Many health organizations wish to implement their own health app solution to comply with the new ONC final rule.

The SMART Application Launch Framework

SMART is a framework for developers to provide a reliable, secure authorization protocol that allows previously authorized apps to access EHR (electronic health records) directly from healthcare providers.

The SMART application launch framework facilitates interoperability by making it easier for your SMART app to communicate and share data with other apps that also use SMART. Interoperability is provided in an open, secure, and standardized way to comply with the Cures Act, and provide better insight into patient data for the patients themselves and healthcare providers.

The OAuth2 Standard

OAuth2 is a well-known standard to provide access authorization without the sharing of passwords between providers and services. It allows for a secure method of authorization that can be integrated into health app solutions.

Designing an authorization system is a complex process; if not done correctly, malicious hackers can access private information from users. Using the OAUTH2 protocol reduces complexity and allows users to have a simple workflow to access healthcare websites and apps.

The OpenID Standard

OpenID is an authentication (proving the identity of a user) protocol, different from OAuth2, which is an authorization (specifying access privileges) protocol. OpenID Connect integrates both OpenID and OAuth2. This allows users to create just one account, for example, a Google account and reuse the account name and password to authenticate other web or mobile apps such as Airbnb, Dropbox, or Uber. It simplifies an app’s registration workflow without compromising security.

Many people use the same password for multiple web accounts. OpenID helps prevent credential stuffing, which is a technique in which an attacker acquires the login info for one account, and then attempts to gain access to that individual’s other accounts (e.g., email, bank logins, credit cards, etc.) using the one compromised password. With OpenID, the patient will only need to remember one password and keep it secure.

Health App Solution Two-Factor Authentication

What does this mean for healthcare organizations?

Cures Act compliant health app solutions allow healthcare organizations to securely provide patients with access to their health information via SMART Application Launch Framework, OAuth2, and OpenID standards. These standards allow for the secure management of passwords and other personal information. It’s important for healthcare organizations to work with a healthcare app development agency that’s knowledgeable in healthcare IT security, the Cures Act, HIPAA, and all other regulations in order to meet all these requirements and avoid future headaches or fines.


Pablo Bullian

Pablo Bullian

Pablo, our Chief Information Security Officer, architected and manages Bridge’s HIPAA-compliant hosting infrastructure. He is an Amazon Web Services (AWS) Certified Solutions Architect, Certified Information Systems Security Professional (CISSP), and Cisco Certified Network Associate (CCNA). Pablo has an M.S. in Cybersecurity from the University of Buenos Aires and he’s passionate about alll things related to cybersecurity and cloud hosting.

Related Posts

Fundraising during Covid with a virtual 5k for healthcare nonprofits

Posted on February 12, 2021 by Jared Mauskopf

The Covid-19 pandemic has brought sweeping changes to the healthcare industry in the United States, and organizations that rely heavily on fundraising have been affected in a unique way. In…Read more


Posted on July 06, 2020 by Jared Mauskopf

Many healthcare organizations are seeking a means to develop their own healthcare or patient engagement solution, to positively impact patients’ health, and streamline clinical processes. Patients perform many of their…Read more


Newsletter
Subscribe to Our Newsletter

Get promotions and current business tips. Sign up for our newsletter today.