What Is SMART on FHIR and Why Is IAM Required?

Healthcare technology is rapidly evolving and digital healthcare is now the norm. In order to deliver healthcare online, payer and provider organizations need the ability to securely and seamlessly share member and patient data across their various digital healthcare systems. Interoperability and modern identity and access management (IAM) are what make this happen.

In 2016, the Office of the National Coordinator for Health Information Technology’s (ONC) 21st Century Cures Act Final Rule was enacted. A significant component of the ONC’s Cures Act is its focus on interoperability. Electronic Medical Record (EMR)

Complying with the Cures Act for interoperability requires the use of two standards:

1.  SMART Health IT’s Substitutable Medical Applications Reusable Technologies (SMART) standard

2. HL7’s Fast Healthcare Interoperability Resources (FHIR) standard, 

Together, these two standards are what’s known as SMART on FHIR. 

With the ONC’s Rule and SMART on FHIR the stage is set for a more connected, efficient, and patient-centric healthcare system where clinical data can be more readily shared and accessed by healthcare providers, payers, consumers, and app developers alike.​

The key to successful interoperability and SMART on FHIR implementation lies in identity and access management (IAM) functionality. Healthcare IAM platforms, such as the Ping Identity Platform, play a critical role for cybersecurity, service availability, and scale. IAM secures user access and manages the authorization permissions to SMART on FHIR apps and their data. This ensures that only authorized users can access SMART apps and sensitive health data in accordance with privacy and cybersecurity standards. The result is reliable and secure interoperability of health information across apps, services, and digital health ecosystems.

SMART on FHIR is a protocol for interoperability across Electronic Health Records (EHR) systems (such as Epic and Cerner) healthcare applications, and IT environments. It allows healthcare developers to build innovative, interoperable applications that can securely access and exchange health data from EHRs and other sources. SMART on FHIR patient-facing applications can also empower individuals to access and manage their health information, participate in their own care, and make informed decisions about their health.

SMART on FHIR is comprised of the following components:

• SMART Launch Framework: The SMART Launch Framework provides guidance on how to securely launch and integrate SMART on FHIR apps within healthcare environments. It outlines protocols for authentication, authorization, and secure communication between apps and healthcare data sources, utilizing standards like OAuth 2.0 and OpenID Connect to ensure that only authorized users can access sensitive health information. This framework is essential for developers and healthcare providers to implement SMART on FHIR apps safely and effectively, protecting patient data and privacy. An IAM platform is what enables OAuth 2.0 and OpenID Connect, and therefore essential in order to follow the SMART framework.

   

• FHIR (Fast Healthcare Interoperability Resources): FHIR is a standard for healthcare data exchange. It provides a set of guidelines for formatting and exchanging healthcare information across different systems, ensuring that data can be shared and understood universally by all healthcare organizations. FHIR defines data formats and elements (known as "resources") and an API for exchanging electronic health records (EHR), facilitating interoperability between healthcare information systems.

As you learn about SMART on FHIR and healthcare interoperability, you will come across the terms FHIR app and SMART app. While they are closely related, they are not the same. 

• FHIR app: A FHIR app refers to any application that uses the FHIR (Fast Healthcare Interoperability Resources) standard to access, use, or share healthcare data. These apps rely on the FHIR API to interact with electronic health records (EHRs) and other healthcare data sources in a standardized way.

   

• SMART app: A SMART app is built using the SMART on FHIR protocol, which combines the FHIR standard with SMART (Substitutable Medical Applications Reusable Technologies) health IT protocols for authentication, authorization, and interoperability.  A SMART app is specifically designed to securely and seamlessly integrate with EHR systems, such as Epic and Cerner, and other healthcare data repositories. It provides more advanced features such as user authentication and data access controls.

   

The important take-away: While all SMART apps use FHIR, not all FHIR apps utilize the SMART on FHIR protocol's additional capabilities for cybersecurity and integration.

Other key terms you may come across when learning about SMART on FHIR and  healthcare interoperability include:

• FHIR API: A FHIR API is an application programming interface that enables software applications to communicate with healthcare data repositories using the FHIR standard, facilitating secure and standardized access to health information. For example, Epic has implemented FHIR APIs to support interoperability and facilitate access to healthcare data.

   

• FHIR data: FHIR data refers to healthcare information that is structured and exchanged according to the FHIR standard. It is organized into "resources," which represent granular clinical and administrative concepts (such as patients, appointments, care plans, and observations) in a consistent, easy-to-use framework.

   

• FHIR resources: FHIR resources are the building blocks of the FHIR standard, designed by HL7 to define the data formats and elements (known as "resources") and an API for exchanging EHR. Each resource, such as Patient, Observation, or Medication, specifies a structured format for a particular type of healthcare information, facilitating the standardized representation of healthcare data across different systems for improved interoperability.

   

• FHIR server: A FHIR server is a specialized web server that hosts and provides access to healthcare data using the FHIR standard, enabling the storage, retrieval, and exchange of health information in a standardized format. For example, both Epic and Cerner have incorporated FHIR servers into their systems.

   

• Identity and Access Management: An identity and access management (IAM) platform, such as Ping Identity’s, securely manages user identities and authorizes their access and interactions to digital resources and devices, such as environments, applications (such as SMART apps and FHIR apps), services, and remote patient monitoring equipment. To support all use cases, a comprehensive IAM platform should include features such as identity verification, authentication, authorization, governance, and the management of user attributes and relationships.

   

• OAuth 2.0: Used by IAM platforms, OAuth 2.0 is an open standard for access delegation, allowing applications to obtain limited access to user accounts on an HTTP service, securely handling authentication and authorization.

   

• OpenID Connect: Used by IAM platforms, OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol that allows clients to verify the identity of the end-user and to obtain basic profile information in an interoperable and REST-like manner.

Healthcare breaches can have serious implications to care delivery, budgets, and reputations. SMART Health IT’s SMART Launch Framework focuses on OAuth 2.0 and OpenID Connect for SMART app cybersecurity. To implement SMART on FHIR with OAuth 2.0 and OpenID Connect requires functionality provided by an identity and access management (IAM) platform.

IAM is crucial for SMART on FHIR to ensure that sensitive health data is accessed only by authenticated and authorized users, maintaining patient privacy and data cybersecurity. It helps to prevent unauthorized access to electronic health records (EHRs), such as Epic and Cerner, by verifying the identity of users—whether patients, healthcare providers, or other stakeholders—before granting them access to the data.

Enterprise-grade healthcare IAM platforms, such as the Ping Identity Platform, support SMART on FHIR with advanced cybersecurity solutions built with OAuth 2.0, OpenID Connect, along with other open standards like FIDO2 and SAML.

Using OAuth 2.0 and OpenID Connect to Secure SMART Apps, FHIR APIs, and FHIR Data

The open standards OAuth 2.0 and OpenID Connect play crucial roles in managing permissions and authentication, ensuring that only authorized users can access sensitive FHIR data within a SMART app. 

OAuth 2.0 facilitates controlled access to resources without sharing password details by using access tokens for authorization control access to resources and a user’s data without sharing password details. OpenID Connect extends OAuth 2.0 with identity verification, enabling applications to authenticate users and obtain their profile information. OIDC uses access tokens to retrieve user profile information and ID tokens to authenticate the user’s identity.

The combination of OAuth 2.0 and OpenID Connect supports the development of secure healthcare applications that can seamlessly integrate with electronic health record (EHR) systems, like Epic and Cerner, to enable interoperability and data privacy within the healthcare ecosystem.

Without using the open standards OAuth 2.0 and OpenID Connect, healthcare organizations would lack a standardized, secure method for managing user identity and access controls, significantly increasing the risk of data breaches and non-compliance with healthcare regulations. Bypassing these protocols would undermine the security and interoperability principles central to SMART on FHIR.

As introduced earlier, IAM is central to SMART on FHIR and successful interoperability. It ensures that only authorized individuals can access sensitive health information within a SMART app, such as patient data.

Healthcare organizations use Ping Identity to support compliance with The 21st Century Cures Act, HITECH, TEFCA, HIPAA, NIST800-63, and many more.

The Ping Identity healthcare IAM platform secures healthcare organizations across all endpoints. It includes features such as identity verification, passwordless authentication, multi-factor authentication, single sign-on (SSO), drag-and-drop identity orchestration, fine-grained access control, and decentralized identity, among others.

Ping Identity healthcare IAM also supports a Zero Trust security framework and uses advanced technologies such as AI and machine learning to detect and respond to anomalies and potential threats in real-time, enhancing overall security posture. Additionally, the HIPAA-compliant platform supports regulatory compliance by ensuring that authentication and data privacy measures meet industry standards and regulations, making it a comprehensive solution for securing digital identities and sensitive data.

Yet, interoperability in healthcare is about more than just standalone data exchange—it's about making that data actionable and meaningful. 

With Ping Identity’s comprehensive IAM platform, you can integrate disparate hybrid IT environments, users, IoMT devices, services, third-party APIs, and all their data in the backend. Through this interoperability, you can consolidate disparate patient data into a single view for up-to-date patient information across all services and SMART apps. This data access enables healthcare providers, payers, and app developers to create new health apps, services, and user journey workflows that improve care outcomes, engage patients and members, and drive profitability.

As the healthcare industry continues to evolve, Ping Identity’s unified healthcare IAM platform presents a bright future for healthcare organizations. This partnership ensures that healthcare ecosystems remain open, interoperable, and secure, paving the way for interoperability that supports a wide range of use cases, from patient engagement to clinical support.

To learn more, read our white paper and stay tuned for our SMART on FHIR tutorial Implementation Guide.