Tech Expert Breaks Down the Security Challenges Attached to the CMS Healthcare Data Sharing Plan
As U.S. healthcare systems push toward data interoperability, the Centers for Medicare & Medicaid Services (CMS) is advancing a new framework to simplify information exchange between patients and providers. Yet, as the sector’s cyber risk surges—with healthcare breaches rising 239% between 2018 and 2023, according to the HHS Office for Civil Rights—the agency’s ambitious plan could expose vulnerabilities for healthcare providers and patients, if not rigorously secured.
Unveiled in July, the CMS initiative will unite 21 networks, 11 health systems, and seven electronic health record (EHR) vendors under a new CMS Aligned Networks program set for 2026. The goal is to make patient health data easily accessible through standardized application programming interfaces (APIs). But while its intended convenience is undeniable, experts warn that the same mechanisms enabling seamless access could also streamline malicious activity. Protected health information (PHI) remains one of the most lucrative targets on the dark web, and broader access could widen the attack surface across the healthcare ecosystem.
“While in principle this approach will indeed make it easier for people to access their PHI, it may also give rise to an easier mechanism by which malicious actors can steal that information,” said Joel Burleson-Davis, Chief Technology Officer at Imprivata, in a recent Medical Device Network article. He emphasized that the CMS rollout must be matched by equally robust identity assurance protocols and app-level safeguards.
“The level of security and scrutiny around the CMS’s roll-out of this plan, along with the healthcare organizations who participate in it, will have to be very strong,” he said. “Otherwise the initiative could ultimately end up opening the floodgates for PHI to get exfiltrated to the dark web.”
To ensure safe implementation, experts recommend leveraging modern authentication models such as OpenID Connect (OICD), facial recognition, and passkeys to verify patient identity without compromising usability. These measures can prevent a repeat of past breaches tied to password-based systems.
But Burleson-Davis urges that strong authentication is only part of the equation. The broader security posture must also account for the complex network of vendors, developers, and third-party service providers that handle PHI. Each link in this supply chain, from app developers to API providers, must adhere to rigorous security standards and business associate agreements that extend protection obligations across every partner and contractor. Ensuring continuous monitoring, zero-trust access principles, and secure data transmission protocols throughout the network will be critical to maintaining integrity from the original data source to the patient’s device. As healthcare’s digital frontier expands, data-sharing innovation must advance hand-in-hand with security maturity.