Building Secure Access to UCSF’s EHR Data

Session Host/Speaker(s)

Electronic Medical Record (EMR) systems contain clinical data critical to driving improved digital patient experiences across our healthcare system. Application Program Interfaces (APIs) provide an industry supported mechanism for securely providing access to our patient data. Current EMR provided security measures through user security settings alone are not sufficient. We will review common API requests, the limitations of Epic's user security settings, and how we have added additional constraints through our MuleSoft proxy to ensure Need to Know access is all that is granted. 

The IT Integration Services team has recently transitioned the proxy logic to use dynamic DataWeave scripts and the Salesforce platform to add efficiency and flexibility which has reduced our costs to build and maintain our API data validation and redaction rules. We will explain the initial proxy build, the limitations it had, and how the new dynamic proxy is better serving our needs.