How to Develop a Cures Act Compliant Health App Solution Using OAuth2 and OpenID

Pablo Bullian

Pablo Bullian

Posted on July 01, 2020

Health App Solution

On March 9, 2020, the ONC and CMS released updated rules for interoperability and patient access provisions of the bipartisan 21st Century Cures Act. The Cures Act, which was first signed into law on December 13, 2016, was designed to help accelerate medical product development. The Cures Act also included the creation of an interoperable network exchange, which enables the secure exchange and use of electronic health information. It allows for complete access, transfer, and use of all electronically accessible health information.

Within the 21st Century Cures Act lies the new ONC final rule. In order to facilitate patient access to electronic health information, this rule is seeking the use of the SMART Application Launch Framework, OAuth2, and OpenID standards.

Many health organizations wish to implement their own health app solution to comply with the new ONC final rule.

The SMART Application Launch Framework

SMART is a framework for developers to provide a reliable, secure authorization protocol that allows previously authorized apps to access EHR (electronic health records) directly from healthcare providers.

The SMART application launch framework facilitates interoperability by making it easier for your SMART app to communicate and share data with other apps that also use SMART. Interoperability is provided in an open, secure, and standardized way to comply with the Cures Act, and provide better insight into patient data for the patients themselves and healthcare providers.

The OAuth2 Standard

OAuth2 is a well-known standard to provide access authorization without the sharing of passwords between providers and services. It allows for a secure method of authorization that can be integrated into health app solutions.

Designing an authorization system is a complex process; if not done correctly, malicious hackers can access private information from users. Using the OAUTH2 protocol reduces complexity and allows users to have a simple workflow to access healthcare websites and apps.

The OpenID Standard

OpenID is an authentication (proving the identity of a user) protocol, different from OAuth2, which is an authorization (specifying access privileges) protocol. OpenID Connect integrates both OpenID and OAuth2. This allows users to create just one account, for example, a Google account and reuse the account name and password to authenticate other web or mobile apps such as Airbnb, Dropbox, or Uber. It simplifies an app’s registration workflow without compromising security.

Many people use the same password for multiple web accounts. OpenID helps prevent credential stuffing, which is a technique in which an attacker acquires the login info for one account, and then attempts to gain access to that individual’s other accounts (e.g., email, bank logins, credit cards, etc.) using the one compromised password. With OpenID, the patient will only need to remember one password and keep it secure.

Health App Solution Two-Factor Authentication

What does this mean for healthcare organizations?

Cures Act compliant health app solutions allow healthcare organizations to securely provide patients with access to their health information via SMART Application Launch Framework, OAuth2, and OpenID standards. These standards allow for the secure management of passwords and other personal information. It’s important for healthcare organizations to work with a healthcare app development agency that’s knowledgeable in healthcare IT security, the Cures Act, HIPAA, and all other regulations in order to meet all these requirements and avoid future headaches or fines.

Pablo Bullian

Pablo Bullian

Pablo, our Chief Information Security Officer, architected and manages Medical Web Expert’s HIPAA-compliant hosting infrastructure. He is a Certified Information Systems Security Professional (CISSP), Amazon Web Services (AWS) Certified Solutions Architect, and Cisco Certified Network Associate (CCNA). Pablo has an M.S. in Cybersecurity from the University of Buenos Aires and he’s passionate about all things related to cybersecurity and cloud hosting.

Related Posts

Mobile App vs Web App

Posted on April 19, 2023 by Jared Mauskopf

Healthcare organizations are increasingly under enormous pressure to offer the best digital tools to their patients. But before you set out to develop a healthcare application, you’ll need to make…Read more

Illustration of a doctor sitting at a computer reading messages on a HIPAA compliant messaging portal.

Posted on April 12, 2023 by Pablo Bullian

Data security is a major challenge in healthcare. With data breaches on the rise, it seems that criminals are increasingly viewing digital healthcare data as low-hanging fruit. According to the…Read more