How to Develop a Cures Act Compliant Health App Solution Using OAuth2 and OpenID

Health App Solution

On March 9, 2020, the ONC and CMS released updated rules for interoperability and patient access provisions of the bipartisan 21st Century Cures Act. The Cures Act, which was first signed into law on December 13, 2016, was designed to help accelerate medical product development. The Cures Act also included the creation of an interoperable network exchange, which enables the secure exchange and use of electronic health information. It allows for complete access, transfer, and use of all electronically accessible health information.

Within the 21st Century Cures Act lies the new ONC final rule. In order to facilitate patient access to electronic health information, this rule is seeking the use of the SMART Application Launch Framework, OAuth2, and OpenID standards.

Many health organizations wish to implement their own health app solution to comply with the new ONC final rule.

The SMART Application Launch Framework

SMART is a framework for developers to provide a reliable, secure authorization protocol that allows previously authorized apps to access EHR (electronic health records) directly from healthcare providers.

The SMART application launch framework facilitates interoperability by making it easier for your SMART app to communicate and share data with other apps that also use SMART. Interoperability is provided in an open, secure, and standardized way to comply with the Cures Act, and provide better insight into patient data for the patients themselves and healthcare providers.

The OAuth2 Standard

OAuth2 is a well-known standard to provide access authorization without the sharing of passwords between providers and services. It allows for a secure method of authorization that can be integrated into health app solutions.

Designing an authorization system is a complex process; if not done correctly, malicious hackers can access private information from users. Using the OAUTH2 protocol reduces complexity and allows users to have a simple workflow to access healthcare websites and apps.

The OpenID Standard

OpenID is an authentication (proving the identity of a user) protocol, different from OAuth2, which is an authorization (specifying access privileges) protocol. OpenID Connect integrates both OpenID and OAuth2. This allows users to create just one account, for example, a Google account and reuse the account name and password to authenticate other web or mobile apps such as Airbnb, Dropbox, or Uber. It simplifies an app’s registration workflow without compromising security.

Many people use the same password for multiple web accounts. OpenID helps prevent credential stuffing, which is a technique in which an attacker acquires the login info for one account, and then attempts to gain access to that individual’s other accounts (e.g., email, bank logins, credit cards, etc.) using the one compromised password. With OpenID, the patient will only need to remember one password and keep it secure.

Health App Solution Two-Factor Authentication

What does this mean for healthcare organizations?

Cures Act compliant health app solutions allow healthcare organizations to securely provide patients with access to their health information via SMART Application Launch Framework, OAuth2, and OpenID standards. These standards allow for the secure management of passwords and other personal information. It’s important for healthcare organizations to work with a healthcare app development agency that’s knowledgeable in healthcare IT security, the Cures Act, HIPAA, and all other regulations in order to meet all these requirements and avoid future headaches or fines.

Pablo is Chief Information Security Officer at Medical Web Experts and a certified AWS Solution Architect Associate who specializes in cybersecurity on cloud environments. He holds an MS in Information Security from the University of Buenos Aires and is an associate professor and active member of research groups at UNSAM University. His academic research is centered around the security challenges that next-gen communications technologies face. Pablo is also CCNA certified and has co-authored research appearing in IEEE.

Questions? Let our experts help!

Complete the form below or Call 866-932-9944 Monday through Friday from 9am to 5pm EST.

  • Connect With Us

  • Contact Us


  • Newsletter

    Get promotions and current business tips. Sign up for our newsletter today.