In the ever-evolving landscape of healthcare, one persistent hurdle remains: data fragmentation. Despite the widespread adoption of electronic health records (EHR) over the last couple of decades, essential patient information often gets trapped within the walls of individual hospital systems. Picture this: Mrs. Johnson visits her cardiologist, but her doctor struggles to access her latest lab results from her primary care physician because those records exist in a totally separate system. Or consider an emergency room doctor trying to piece together a patient’s medication history — only to find they must rely on a manual call to the pharmacy. These scenarios not only result in delayed care but can also increase the risk of medication errors and redundant testing, leading to immense costs for the healthcare system.
As we strive to solve these issues, one potential solution stands out: Fast Healthcare Interoperability Resources, or FHIR. Unlike its predecessor, the HL7 v2 messaging standard, FHIR leverages modern technologies like REST APIs and JSON. This innovation allows for smoother data sharing among healthcare organizations. With a single FHIR endpoint, researchers, insurers, clinical coordinators, and even patients can access the information they need with ease. However, deploying FHIR on a large scale introduces a set of fresh challenges. For instance, how do you authenticate numerous applications, maintain security, and uphold patient consent across various organizations? These critical questions still need well-thought-out answers.
During my five years working alongside major health systems to integrate FHIR, I’ve realized just how essential API management is in addressing these hurdles. One platform that stands out in this field is Google Cloud’s Apigee.
The trouble with direct integrations
Initially, many healthcare organizations relied on direct FHIR integrations. This means that Hospital A would connect directly to Hospital B, and then Hospital B would do the same with Hospital C. While this might seem efficient at first glance, it quickly spirals into a convoluted maze of connections. Each hospital ends up juggling multiple individual integrations, each with its specific authentication and security protocols. When security issues arise, these connections become a headache. Each link must be scrutinized and often modified through extensive audits.
Take, for example, a health system I encountered that had established seven direct FHIR connections with nearby institutions. Each of those connections employed different methods of authentication, ranging from mutual TLS to OAuth2. The complexity meant that whenever a new compliance requirement like HIPAA-compliant audit logging was introduced, they had to dive into the programming for every single integration. Their effort to ensure consistent logging across all seven connections took a staggering year and a half. This experience solidified my belief that point-to-point integrations are not a sustainable option as healthcare systems grow.
Rethinking the architecture
To truly build a robust nationwide FHIR ecosystem, we need a broader perspective on data architecture: centralized API gateways. Instead of direct connections, hospitals should funnel their data through regional gateways that serve as intermediaries. This centralized system would manage authentication, ensure security standards, maintain activity logs, and even impose rate limits — all in one place.
Here’s where Apigee shines. Acting as a reverse proxy, it intercepts API traffic and applies specific rules before routing the requests to backend systems. This allows organizations to implement standards like OAuth2 without disrupting their existing FHIR server code. Rate limiting, for instance, can be applied without affecting the underpinnings of their systems, and audit logs can be established for HIPAA compliance, all without needing to rip apart existing EHR infrastructure.
A layered approach
I envision a three-layer architecture for a successful nationwide FHIR ecosystem. The first layer consists of organizational gateways, where Apigee is implemented in front of each health system’s FHIR server. Each organization has the flexibility to set its own local policies. For example, one hospital might permit sharing observation data but restrict access to procedural data, while another may choose to limit access to certain affiliated providers.
Layer two introduces regional gateways that enable care coordinators to strategically collect a patient’s data across multiple organizations — not requiring individual outreach to each health system. The regional gateway would coordinate responses, manage potential failures, and convert inquiries into appropriate requests while adhering to regional regulations, such as data masking for specific users.
The third layer involves national coordination — managing identity that allows developers to work with a unified credential across various organizations, maintaining a registry of participating systems, and enforcing nationwide policies like mutual TLS for communication.
Security and compliance
In the world of healthcare, security is paramount. Apigee supports multiple security measures vital for accommodating FHIR ecosystems. First off, external users must provide valid credentials via OAuth2 at the gateway. The system then checks their authorization level, ensuring users have access privileges. If patients have opted out of data sharing, consent management policies are triggered.
Furthermore, Apigee complies with HIPAA regulations by enforcing audit logging, capturing crucial details on who accessed each patient’s information and when. This data is relayed to external systems for later analysis, while rate limiting serves as a safeguard against potential abuse.
Looking towards the future
The pathway ahead is clear: organizations need to act quickly to install Apigee gateways in front of their FHIR servers. While this may involve some initial investment, the immediate security benefits are substantial. Early adopters can collaborate to form regional alliances, establishing shared aggregation gateways that pave the way for smooth integration. As more organizations embrace FHIR protocols, meaningful national coordination can emerge.
I’ve seen firsthand the evolution of this field. Just five years ago, FHIR APIs were scarce in healthcare, but now major health systems are beginning to adopt them. I envision that in the next three years, large hospitals will increasingly utilize FHIR APIs supported by Apigee gateways. Within five years, regional aggregation gateways could become the norm, significantly enhancing care coordination.
While we may not see a complete dissolution of healthcare data silos overnight, the emergence of strategic frameworks and innovative solutions like Apigee holds immense promise for creating a more interconnected healthcare landscape.
Photo: pixelliebe, Getty Images
The Hidden Administrative Tasks Draining Small Practices
Small practices play a critical role in healthcare delivery, but they cannot continue to absorb ever-increasing administrative demands without consequences.
Sai Rupesh Kagga is a Senior Software Developer with over 9+ years of experience in IT and 7+ years driving innovation in healthcare technology. As an Integration Developer at SanQuest Inc., his work has significantly improved interoperability, system performance, and data accessibility across complex clinical platforms. He specializes in microservices architecture, enterprise integration, and cloud-native solutions, leveraging technologies such as Enterprise Integration & Microservices, Full-Stack Development, Data Integration & Virtualization, implementing AI, cloud technologies to optimize healthcare workflows. In addition to his engineering contributions, he is an active researcher and technical author with publications indexed on Google Scholar, demonstrating thought leadership in healthcare interoperability and API architecture. His work reflects measurable impact and influence in advancing scalable digital healthcare infrastructure.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.