Choosing a Secure API for Your Healthcare Software Valentina Synenka April 19, 2022 Consider an ideal healthcare setting where patient apps, fitness trackers, pharmacy software, laboratory tools, and health systems exchange data effortlessly. In such an imagined world, anyone from physicians and patients to medical researchers can instantly access the files they need over their smartphones. However, reality looks pretty different. It’s estimated that 90% of the patients across the United States complain of the lack of medical records and other forms of data sharing. Additionally, about 67% of the patients consider changing their healthcare providers because of the lack of data sharing. Thankfully, interoperability rules for the healthcare industry were established in 2020 to address the issue. The rules aim at seamless data transmission within the healthcare domain and are expected to ensure the medical industry phases out archaic devices. Instead of using fax machines, the stakeholders in the healthcare sector will start using medical APIs (Application Programming Interfaces) for communication and data exchange. What Are Healthcare APIs and How Do They Work? According to market research, the medical API market size was valued at $210.9 million in 2019 and is forecasted to reach $336.02 million in 2027 with an annual growth rate (CAGR) of 6.3% from 2020 to 2027. This indicates that healthcare API applications in medicine will continue to grow. Let’s look into an example of how APIs work in healthcare environments. Imagine a patient who wants to integrate their nutrition application with data records of their cholesterol and blood pressure levels. Below is what the workflow would look like using APIs. The patient uses their credentials to log into their nutrition application. The patient selects a healthcare or medical facility from a menu and connects to the Electronic Health Records (EHR) API. The nutrition application sends a request for a patient’s cholesterol and blood pressure levels through the API. This is done using the Hypertext Transport Transfer Protocol (HTTP) protocol. The EHR validates the incoming request from the API and sends the response back to the application in a compatible cross-application format such as Extensible Markup Language (XML) and JavaScript Object Notation (JSON). Suppose the API uses OAuth 2.0 or OpenID Connect standards for authorization and authentication. In that case, it will request to provide biometrical data or password, otherwise called credentials, before it delivers the requested data. Depending on the information retrieved from the EHR systems, the application can then personalize the nutrition tips. If the patient has relevant data from multiple EHRs, they can integrate other sources into their app. Connections in other healthcare situations would follow a similar workflow. Different scenarios include data exchange between two EHRs, a hospice management system, healthcare analytics, a pharmacy wearable device, or linking the EHR to an inventory management system. APIs are poised to bring many benefits to healthcare data interoperability. However, API endpoints have been the target of cyber attackers for some time. According to an API security report by Salt Security, there was a 681% increase in API attacks within the last 12 months. So, why are APIs a weak point for cyber threats? Below are some ways healthcare APIs might expose patient data, resulting in heavy reputational losses or even lawsuits from the aggrieved patients. How APIs May Be a Weak Point for Cyber Threats Insecure Resource Limits and Pagination Most APIs offer access to resources in lists of entities like /widgets or /users. Clients like browsers would normally paginate and filter through the list while limiting the number of entity items returned to the client. If the entity contains any Personally Identifiable Information (PII) or other valuable information, and doesn’t have the proper authorization and rate-limiting in place, the attacker could scrape the endpoint to obtain a dump of all the entities in your database. Generating Insecure API Keys Most APIs are safeguarded by a JSON Web Token (JWT) or an API key. This offers a natural way of tracking and protecting the API. The API security tool can detect abnormal behavior with the medical API and automatically block access to such an API key. However, cybercriminals can outsmart the mechanisms by generating a massive pool of API keys for many users. Similarly, they can use a pool of IP addresses to circumvent DDoS protection. This might give the attacker access to the entire suite of services, resulting in a massive compromise to the integrity of the services offered by the API. Broken User Authentication If the authentication mechanisms are incorrectly implemented, the attackers can compromise the authentication tokens or exploit the implementation flaws. If successful, the attacker can assume a patient’s or an administrator’s identity temporarily or even permanently. This compromises the ability of the system to identify the user or client. Due to the stealth nature of broken user authentication, the attacker might remain in the system for a long time without detection, compromising the overall system. Hence, you must follow the API security best practices. Security Misconfiguration This issue mainly stems from insecure default configurations, open cloud storage, ad-hoc or incomplete configurations, unnecessary HTTP methods, and misconfigured HTTP headers. Other causes of security misconfiguration are verbose error messages that contain sensitive information and permissive Cross-Origin Resource Sharing (CORS). These are avoidable by ensuring that your healthcare staff is trained on the API security best practices and follows them in routine operations. The result of such incidences could be huge losses to the healthcare facility. First, the facility must always be HIPAA and GDPR compliant. Hence, with such data breaches, it becomes prone to protracted lawsuits that might lead to hefty fines and damage to your reputation. With the damaged reputation, customers or patients start transferring or even changing to another healthcare provider. This is a huge blow to customer retention rates, resulting in lower profits and revenues. So let’s look at what should be considered when choosing a secure API for any healthcare application or software. Choosing a Secure API in Healthcare Ensure the API Is TLS Protected Evaluate the API service provider’s security practices, technical capabilities, and infrastructure. Remember, the provider will be hosting the API implementations and applications that access and store the health information. A good API should be protected using TLS, preferably Version 1.27 or higher. The protocol should also use strong cipher suites like AES (Advanced Encryption Standards) to safeguard health information on transit from the EHR through the API to the third party. Sensitive data should always be securely stored and transmitted. Anything short of this exposes you to cyberattacks on the API endpoints. The criminals might steal banking information, social security numbers, health information, and other sensitive information. Ensure You Use a HIPAA Compliant API Most clinics use various connector tools rather than secure medical APIs. However, many connectors are not HIPAA compliant. Because of its sensitivity, it is an API security best practice to use HIPAA-compliant APIs, especially when working with health information. There are several essential safeguards that any medical API should have to be HIPAA compliant. This includes limiting data access, encryption, and system activity tracking. For additional healthcare API security, the best practice is to seek an API that is SOC-2 compliant, has properly documented security practices, and undergoes penetration tests by a third party every year. Limiting API Access Ensure you establish authentication controls that are risk-based and correspond to the security risk assessment of your organization. They should also be commensurate with the sensitivity of the information, user, and data types. The technical organization controls should support the individual privacy preferences while limiting use, access, or disclosure depending on the need. Preliminary Input Validation It is essential to never trigger any action without validating the preliminary inputs. This is an integral approach that helps in averting lots of security problems. Anything that is to be accepted by the server should be carefully verified. Any extra content and large amounts of data should not be accepted. Hence, it is helpful to use XML or JSON schema validation to avert any XML bomb or SQL injection. Inadequate Validation Validating the SSL certificates is always essential to ensure healthcare API security. Inadequate validation and lacking API intervention practices expose you to the wrath of cybercriminals. They can steal your credentials and API keys by exploiting your laxity. Ensure You Mitigate Risks Whenever Using Open-Source APIs There are a lot of benefits you might get by using open-source APIs. However, they also have several drawbacks, especially if you are in the healthcare sector. Security isn’t always a priority because open-source APIs are created in common projects. The software quality may also be inconsistent without adopting the right security procedures and processes. Hence if any vulnerability is identified, it might not be handled with the necessary urgency. The API Should Have a Strong Documentation and Support Your healthcare API provider should offer strong support and clear documentation. This will ensure that integrating the API with the healthcare application and upgrading it is easy and seamless. The provider should also be committed to offering continuous API support. Have a Business Associate’s Agreement Entities covered by HIPAA may allow third parties like EHR providers and telehealth platforms to interact with confidential health records. The third parties are referred to as business associates. The covered entity should get a satisfactory assurance that the business associate will protect sensitive health information. Therefore, the associate should sign a BAA (Business Associate Agreement) with the healthcare provider. The agreement should outline what the business associates will do to protect all the confidential data they are or come in contact with. Put in Place DevSecOps Policies An API is a developer tool. It contains passwords, keys, and other sensitive information that must be eliminated before the API is released. This step is sometimes, unfortunately, left out of the picture. Hence, it is recommended to collaborate between the application development, operations, and security teams. You should also introduce scanning tools into the DevSecOps processes to prevent accidental exposure of confidential health data. Go Overboard with Control Whenever API requests come in, data may be exposed. Hence, it is prudent to set limits on connections, set password configurations, and ensure re-authentication is mandatory in case of overuse. Though it might seem like you are going overboard on control, you’d better be safe than sorry. Whenever reasonable, use solutions with solid authorization and authentication mechanisms like two-factor authentication, multi-factor authentication, OpenID Connect, and OAuth. API Incompetence Redundant and repetitive API usage might drag on if it isn’t tracked. Whenever this happens, you can incur huge expenses. You must have API monitoring in place, meaning that it is vital to have a solid API governance plan in place. API Security Testing Although all applications must undergo testing, this is one of healthcare API security best practices, hence a must. Comprehensive testing must be done on the application with particular attention to security. Take some time and hire a penetration testing company to uncover any underlying vulnerabilities in your medical API. Pay Enough Attention to Terms of Service Reading up on the terms and conditions of the API service provider is the only way to be informed on what the provider is supplying you. It can further result in issues with the quality of service offered. The type of data enterprise APIs use is typically specified in the usage terms. Summary APIs in healthcare are essential for ensuring communication, integration, and interoperability. However, they are also prone to various endpoint vulnerabilities that might result in severe damage to the reputation of the healthcare institution. Insecure medical APIs can also result in heavy losses and a massive blow to customer retention efforts. However, there are several healthcare API security best practices that you can observe to mitigate these threats, as discussed above. The latest API insights straight to your inbox