CMS healthcare data sharing plan: are identity controls ready?

TL;DR: CMS’s new aligned networks plan aims to simplify healthcare data exchange across 21 networks, 11 health systems, and seven EHR vendors, but experts warn that broader API access can expand PHI exposure if identity assurance, app-level safeguards, and supply-chain controls do not keep pace, according to Imprivata. The governance problem is not interoperability itself but the assumption that easier access can be safely granted without stronger verification and continuous oversight.

NHIMG editorial — based on content published by Imprivata: Tech Expert Breaks Down the Security Challenges Attached to the CMS Healthcare Data Sharing Plan

By the numbers:

• Healthcare breaches rose 239% between 2018 and 2023, according to the HHS Office for Civil Rights.
• The CMS Aligned Networks program will unite 21 networks, 11 health systems, and seven electronic health record vendors.

Questions worth separating out

Q: How should healthcare organisations secure PHI sharing through APIs?

A: They should require strong identity assurance, narrow scopes, and continuous monitoring for every API client that can touch PHI.

Q: Why do third-party healthcare integrations increase PHI risk?

A: Because every external app, vendor, or service provider adds another identity that can be abused, mis-scoped, or left active after the business need ends.

Q: What breaks when zero trust is not applied to patient data exchange?

A: Teams end up trusting network location, partner status, or prior authentication instead of evaluating each PHI request on its own merits.

Practitioner guidance

• Map every PHI access path to an identity owner Inventory the patients, providers, apps, vendors, and service accounts that can request or relay PHI, then assign a named owner for each path so reviews and revocation are not ambiguous.
• Enforce app-level scopes for every API integration Restrict each connected application to the minimum PHI scope it needs, and block broad token permissions that allow one integration to query records across unrelated use cases.
• Tie vendor offboarding to technical revocation When a partner relationship changes, remove API credentials, certificates, and delegated access immediately rather than relying on contract expiration or manual follow-up.

What's in the full article

Imprivata's full article covers the operational detail this post intentionally leaves for the source:

• Specific CMS alignment details for the 21-network, 11-health-system, and seven-vendor rollout.
• The article's discussion of authentication options such as OpenID Connect, facial recognition, and passkeys in a healthcare context.
• The source's guidance on business associate agreements and how they extend protection obligations across partners and contractors.
• The practical discussion of zero-trust access, secure transmission, and healthcare rollout readiness.

👉 Read Imprivata's analysis of CMS healthcare data sharing and PHI risk →

CMS healthcare data sharing plan: are identity controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →