Increasing API Adoption While Addressing Healthcare Cybersecurity Concerns

July 18, 2022 - Application programming interface (API) adoption is growing rapidly, but healthcare cybersecurity concerns are not far behind.

For healthcare, a breadth of evidence suggests that API adoption could revolutionize interoperability efforts and health data exchange by facilitating patient data access and efficient care delivery.

Cequence researchers observed a 941 percent increase in health monitoring API usage from June to December 2021 alone. In addition, providers are increasingly implementing the API-driven HL7 Fast Healthcare Interoperability Resources (FHIR) standard to comply with the CMS Interoperability and Patient Access final rule.

Part of a larger push toward digital transformation and interoperability, the recent uptick in API adoption signifies a major shift for the healthcare sector. But with any technology comes a new set of cybersecurity risks.

“The use of cloud technologies, increased use of APIs, and increased system interoperability are all good from a provider standpoint and from a patient standpoint,” Bill Ahrens, director at Mazars, explained in an interview with HealthITSecurity. “However, they are also wonderful from a hacker's standpoint.”

APIs are not necessarily riskier than any other health IT tool from a security perspective, but human error and poor implementation tactics can make them less secure. When implemented correctly, APIs can be reliable assets to any healthcare organization.

Top API Security Risks

“An API is technology that allows one software app to programmatically access the services provided by another software app,” the Office of the National Coordinator for Health Information Technology explained in an API security guidance document.

“For example, third-party online travel agents use APIs, provided by each individual airline, to access flight scheduling data and aggregate information for consumers to find an optimal flight.”

Essentially, APIs allow two applications to “talk” to one another and seamlessly share data, the HHS Health Sector Cybersecurity Coordination Center (HC3) explained in a brief. The entire API ecosystem is made up of the data being shared, the APIs themselves, the developers, applications and software, and end users.

The rising popularity of mHealth applications, the incorporation of clinical decision support (CDS) tools, and an industry-wide push toward interoperability have made APIs an extremely useful tool in the healthcare sector.

“APIs provide a lot of benefits, but depending on how they're implemented, they may not be as secure as they should be,” Ahrens said.

“From a healthcare standpoint, I see it as this aspect of duality. Healthcare needs to provide easier access to more data. But because of that, it must have a greater focus on data privacy and security.”

APIs are not inherently risky, ONC noted. But implementing APIs without the proper privacy and security safeguards can open organizations and the protected health information (PHI) that they vowed to preserve up to cyber risks.

ONC classified API vulnerabilities into two primary categories: vulnerabilities that stem from outdated internet and API security specifications, and vulnerabilities that result from human oversight. For example, failing to implement security best practices can result in unintended API functionality.

“The ubiquitous nature of APIs combined with the value of health data have made APIs a potential gateway for malicious activities, especially those allowing cybercriminals to commit fraud,” HC3 noted.

“Many of the threats to APIs are the same for other technologies in terms of threat actors, as well as tactics, techniques and procedures (TTPs).”

APIs present yet another attack vector to malicious hackers, and poor implementation or development can make their jobs that much easier. Along with network intrusions, unauthorized PHI access, and the potential for reputational harm as a result of a cyberattack, API security issues can also be costly.

In a recent report, Imperva partnered with the Marsh McLennan Global Cyber Risk Analytics Center to analyze API-related incident data and quantify the cost of API insecurity. Researchers discovered that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.

The research also revealed a correlation between company revenue and API-related event frequency. Companies earning more than $100 billion in revenue attributed a quarter of their cyber events (during the analysis period) to API insecurity.

API security challenges must be considered carefully, but the risks do not outweigh the benefits. HC3 listed a multitude of ways in which healthcare organizations can benefit from API adoption, including increased speed, efficiency, and the ability to create broader developer and partner ecosystems to spearhead innovation.

When used appropriately, APIs can even enhance security efforts by allowing organizations to share records systems more securely with mobile, web, and cloud applications. With the proper security controls and best practices, healthcare organizations can use APIs to increase efficiency and promote interoperability.

Tackling API Security Risks

“You need to focus on the fundamentals—far too often, that's where people let down their guard,” Ahrens advised.

“The hackers will take the path of least resistance. If there is a system that has a vulnerability that hasn't been patched in a year, that's what they will go after.”

HC3 recommended that organizations look for APIs that value constant API management and API functionality.

“API management is critical, as it facilitates greater understanding and control of APIs and allows for the use of APIs to monitor activity and usage. As healthcare becomes further digitized and services such as telehealth and telemedicine continue to expand, authorization and authentication should increasingly occur at the front end of the architecture,” HC3 explained.

“API management functionality offers traffic monitoring to flag unexpected activity, such as out-of-sequence or expired API requests, as well as automated enforcement of enterprise security policies. Finally, management also includes maintaining an inventory of all APIs, which should be subject to periodic updating.”

Organizations should also implement APIs with proper authentication and authorization controls and strong encryption.

“Security should not be an afterthought, but an initial priority when implementing APIs. As a foundational security concept, the principle of least privilege should always be practiced, especially when designing and deploying APIs,” HC3 continued.

“Access to information or resources should only be limited to those who need it, and only just enough to satisfy their requirements. Limitations based on role, time, status, among other criteria, can and should be implemented as much as possible, in order to balance access with security.”

Similarly, ONC suggested that organizations prioritize implementing Transport Layer Security (TLS) Version 1.2 or higher to protect health information in transit. In addition, organizations should develop technical and administrative safeguards prior to granting credentials.

Healthcare organizations should also consider implementing risk-based authentication controls and ensure that the API cannot unintentionally expose PHI.

“Develop systems with technical authorization controls flexible enough to support individual privacy preferences that are capable of limiting API access, use, or disclosure based on what is necessary to satisfy a particular purpose or carry out a function,” ONC emphasized.

“Evaluate any service provider’s infrastructure, security practices, and technical capabilities for hosting implementations of APIs and apps that store and access health information.”

To account for privacy concerns, ONC reminded organizations to ensure that their API-driven technology respects patients’ choices about the types of health information that is shared with a third party and gives patients the ability to revoke permissions.

“Digital transformation is a trend that's going to continue into the foreseeable future. And because of that, the risks are only going to increase,” Ahrens reiterated.

“Focusing on the fundamentals, and doing your due diligence is going to pay significant dividends.”