Importance of API Security in Healthcare Grows as Cyberattacks Increase

February 10, 2022 - API security is essential to healthcare cybersecurity as threat actors increasingly turn to APIs as an easy network entry point. In 2019, Gartner predicted that API attacks would become the most common attack vector by 2022. New research from Cequence confirmed that Gartner’s prediction might become a reality this year.

Cequence’s analysis of API usage patterns from June to December 2021 found that health monitoring API usage rose by a staggering 941 percent. Developers are also increasingly favoring APIs to improve user experience.

“As the digitization of commerce happened, we started to see APIs utilized in new ways. Data is moved around allowing for additional analytics and trends to be realized. The same thing is happening in healthcare,” Jason Kent, hacker in residence at Cequence, told HealthITSecurity.

“Patients wanted real-time, hands-on data, so healthcare organizations began making things more connected.”

API usage is increasing in healthcare and other industries for good reasons. APIs can increase productivity, cut costs, and allow innovation and collaboration.

“It started with wearable voice over internet protocol [VoIP]phones that allowed for all sorts of integrations at the command of a voice and has moved forward in many directions,” Kent continued.

“Patients can see their X-rays on their phones, share hospital data with primary care physicians at the push of a button, and third-party integrations are more and more prevalent. Moving from paper charts to having an app on a phone means APIs need to move data from all sorts of places within the IT ecosystem.”

But just like any technology, rapid implementation can introduce new security risks. At the same time, threat actors are always looking for new vulnerable attack vectors to exploit.

The report found significant increases in account scraping, account takeovers, and malicious traffic surrounding API use.

“Since there are so many APIs out there now, there is a new attack vector of opportunity, and attackers are tooling up to exploit vulnerabilities in APIs,” Kent said.

“Additionally, organizations that are implementing APIs are treating them like standard web applications and not doing enough to ensure they are implemented safely. The interesting thing is that attacks that stopped working on websites a few years ago work just fine on APIs.”

Developers must prioritize API security and data privacy to prevent threat actors from easily manipulating APIs.

Kent recommended that healthcare organizations maintain an inventory of what is connected to APIs. In addition, security teams should conduct penetration testing in systems with protected health information (PHI) at least twice per year to satisfy HIPAA requirements and safeguard patient data.

Lastly, organizations should prioritize patching systems quickly to avoid exploitation. Without proper API security measures, healthcare organizations and developers are risking patient data exposure and cyberattacks.