RESTful API Infrastructure

Question: What features of Meditech and Promoting Interoperability are impacted if we were to choose to disable API due to recent increases in cybersecurity issues? Disabling the API server would disable the following functionality: Image Appropriateness with your Image Appropriateness vendor, likely NDSC. Users would not be able to do image appropriateness checking when placing imaging orders and would have the option to proceed without checking when placing orders. Continuity of Care Document creation (CCD) - Any function of the system that generates a CCD would be impacted. This includes patients requesting to generate a new CCD from the patient portal. Your IT team could mitigate this with stricter rules vs disabling access all together since this traffic would be from internal servers only. Patient Access APIs - An example of this is the Apple Health Records app. Users would no longer be able to retrieve their health records to their iOS device. We recommend you consult with your legal team to decide if you're still in line with patient access rules while disabling access temporarily. Part of that rule outlines the "capability" to onboard an app of a patient's choosing and ultimately your system would be unable to do that with all access disabled. For that reason and because it's temporary, please seek guidance from your internal regulatory and legal team. We encourage you to review with your internal compliance/legal teams as to how this action relates to 21st Century Cures/ Information blocking compliance (effective date April 5, 2021). Our REST infrastructure is built with security in mind and uses OAuth 2.0 to help secure and mitigate attacks. Following our best practice getting started guide, there also should be layers in front of this server to support security best practice and handle load. We recommend routinely reviewing this document as it continues to be updated with additional information.
Question: What release do I need to be on to implement RESTful API Infrastructure? There is not a specific Priority Pack required to complete the setup of the REST infrastructure. As long as your organization has been generally keeping up to date with updates (ie. have taken an update over the past year or so) this project can begin at any time.
Question: What kind of servers are needed to implement RESTful API Infrastructure? For Promoting Interoperability (Meaningful Use) Stage 3 specifically, your organization should have a TECH Task titled Hardware Evaluation: Meaningful Use Stage 3 Requirements, which outlines the specifics. Speaking generally, you will need 1 API server, 1 database server and a Load Balancer/Web Proxy. Hardware requirements for RESTful API Infrastructure may be different for other APIs/Use Cases in the future.
Question: Do you have any recommendations for the load balancer, or proxy server? Several of our customers that are currently in process of implementing this technology are using a previously acquired Load Balancer such as a Netscaler or F5 appliance. A more cost effective solution would be to use a Web Proxy Server. MEDITECH does not have a preference on the software used on this machine, however is MUST have both security and load balancing capabilities.
Question: Is the implementation of RESTful API Infrastructure solely for access to the EMR for Stage 3 and AUC or can other API driven systems utilize this hardware (ie. First Databank API)? No. There are other present day use cases for REST in deployment beyond patient access API’s and AUC. In addition, MEDITECH is looking to expand our usage of API’s in the future, which will run through REST, as well.
Question: Is an IdP required for the implementation of the RESTful API Infrastructure? No. The RESTful API infrastructure is simply the framework that will allow implementation of a variety of APIs within MEDITECH’s EHR. One example of an API is the Patient Access APIs for Promoting Interoperability Stage 3. After the REST infrastructure is in place, and you move onto implementing the Patient Access APIs, an IdP may be needed to manage external identities.
Question: Who can I reach out to for assistance with set up, support and troubleshooting of firewalls, load balancers, proxy servers, network topology and encryption?Please reach out to one of our Hardware Integrator partners for professional services assistance.

Question: What features of Meditech and Promoting Interoperability are impacted if we were to choose to disable API due to recent increases in cybersecurity issues? Disabling the API server would disable the following functionality:

Image Appropriateness with your Image Appropriateness vendor, likely NDSC. Users would not be able to do image appropriateness checking when placing imaging orders and would have the option to proceed without checking when placing orders.
Continuity of Care Document creation (CCD) - Any function of the system that generates a CCD would be impacted. This includes patients requesting to generate a new CCD from the patient portal. Your IT team could mitigate this with stricter rules vs disabling access all together since this traffic would be from internal servers only.
Patient Access APIs - An example of this is the Apple Health Records app. Users would no longer be able to retrieve their health records to their iOS device. We recommend you consult with your legal team to decide if you're still in line with patient access rules while disabling access temporarily. Part of that rule outlines the "capability" to onboard an app of a patient's choosing and ultimately your system would be unable to do that with all access disabled. For that reason and because it's temporary, please seek guidance from your internal regulatory and legal team.

We encourage you to review with your internal compliance/legal teams as to how this action relates to 21st Century Cures/ Information blocking compliance (effective date April 5, 2021).

Our REST infrastructure is built with security in mind and uses OAuth 2.0 to help secure and mitigate attacks. Following our best practice getting started guide, there also should be layers in front of this server to support security best practice and handle load. We recommend routinely reviewing this document as it continues to be updated with additional information.

Question: What release do I need to be on to implement RESTful API Infrastructure? There is not a specific Priority Pack required to complete the setup of the REST infrastructure. As long as your organization has been generally keeping up to date with updates (ie. have taken an update over the past year or so) this project can begin at any time.

Question: What kind of servers are needed to implement RESTful API Infrastructure? For Promoting Interoperability (Meaningful Use) Stage 3 specifically, your organization should have a TECH Task titled Hardware Evaluation: Meaningful Use Stage 3 Requirements, which outlines the specifics. Speaking generally, you will need 1 API server, 1 database server and a Load Balancer/Web Proxy. Hardware requirements for RESTful API Infrastructure may be different for other APIs/Use Cases in the future.

Question: Do you have any recommendations for the load balancer, or proxy server? Several of our customers that are currently in process of implementing this technology are using a previously acquired Load Balancer such as a Netscaler or F5 appliance. A more cost effective solution would be to use a Web Proxy Server. MEDITECH does not have a preference on the software used on this machine, however is MUST have both security and load balancing capabilities.

Question: Is the implementation of RESTful API Infrastructure solely for access to the EMR for Stage 3 and AUC or can other API driven systems utilize this hardware (ie. First Databank API)? No. There are other present day use cases for REST in deployment beyond patient access API’s and AUC. In addition, MEDITECH is looking to expand our usage of API’s in the future, which will run through REST, as well.

Question: Is an IdP required for the implementation of the RESTful API Infrastructure? No. The RESTful API infrastructure is simply the framework that will allow implementation of a variety of APIs within MEDITECH’s EHR. One example of an API is the Patient Access APIs for Promoting Interoperability Stage 3. After the REST infrastructure is in place, and you move onto implementing the Patient Access APIs, an IdP may be needed to manage external identities.

Question: Who can I reach out to for assistance with set up, support and troubleshooting of firewalls, load balancers, proxy servers, network topology and encryption?Please reach out to one of our Hardware Integrator partners for professional services assistance.