Making APIs in Healthcare More Secure  - Photo by National Cancer Institute on UnsplashDemand for healthcare services continues to accelerate at pace. The pandemic and the knock-on effect of delayed operations and treatments have heightened in the last two years. All of this is challenging the NHS.

Healthcare technology innovation and the digitisation of worldwide healthcare services are seen as the way to overcome many of these challenges. Consequently, the UK Government is investing in growing its capabilities. It is looking at areas such as AI, machine learning and, more broadly, data-driven healthcare to make it more accessible, affordable and sustainable.

However, patients’ have increasing expectations around the quality and safety of such services. Additionally, ever-growing complex regulations demand stricter governance. These mean this is no easy task.

Protecting sensitive data

Digitising services and sharing data across health systems is the way forward. Yet, personally identifiable information (PII) is incredibly sensitive. When disclosing healthcare records, this data must be treated appropriately.

Today, NHS Trusts have a multitude of medical systems sharing information within hospitals, as well as connecting to external healthcare providers. There is also a growing demand for personal health and wellbeing devices. These allow citizens to add data to their own personal health profile. All this shows how the growth in health data is exploding.

The increase in health trackers that monitor fitness, sleep patterns, heart rate, respiration, and other vital signs of health status, has resulted in a fragmented view of consumer data. Additionally, acquired data can be used in a variety of ways. One way is privately to contribute to clinical databases. It can also be used for research. It introduces additional complexity in data aggregation and how data is accessed, stored and secured.

Interoperability is the key. It has become the watchword as the industry coordinates care for patients across a large and growing subset of players. This is where Application Programming Interfaces (APIs) have become a critical component. They allow systems to communicate with each other, closing the gap on how information is utilised. The philosophy is that all systems are integrated, work together in a compliant way, and any sensitive data is secure in case of a breach.

Challenges include custom-built APIs and siloed technologies

Unfortunately, this is not always the case due to many technological gaps. Likewise, there has been a lack of data standards across the sector and multiple siloed technologies. It means custom APIs must be created to accommodate the needs of the service it is providing for each system. It is time-consuming because API management is onerous as systems are upgraded and replaced.

As a result, the number and complexity of APIs continues to grow. Analyst firm Gartner predicts that APIs will become the most common attack vector in 2022. According to 451 Research’s 2022 API Security Trends Report, 41% of the organisations represented by survey respondents had an API security incident in the last 12 months. 63% noted that the incident involved a data breach or loss.

The good news is that today there are several global open healthcare standards. Among them are Health Level Seven (HL7®), Fast Healthcare Interoperability Resources (FHIR®) and Digital Imaging and Communications in Medicine (DICOM®).

FHIR is an API-focused standard used to represent how healthcare information can be exchanged between systems regardless of how it is stored. HL7 is a set of international standards for the transfer of clinical and administrative data between software applications used by various healthcare providers. DICOM is the standard for communicating and managing medical imaging information and related data. These standards help ensure data privacy and security within strict healthcare and compliance boundaries.

Updates to FHIR help to facilitate interoperability with legacy systems

The most recent version of FHIR builds on previous data format standards from HL7. Importantly, it is easier to implement as it uses a modern web-based suite of API technology. One of its goals is to facilitate interoperability between legacy healthcare systems, to make it easier to share healthcare information across a wide variety of devices. It allows third-party application developers to provide medical applications which can be easily integrated into existing systems.

It addresses another important challenge across the sector. Many organisations are still using older technology that is not API-enabled. It is imperative that the industry moves away from local-only installed on-premises environments. It should adopt more of a cloud-based model, where the health tech industry can enable APIs.

Public cloud providers, such as Google Cloud and Microsoft Azure, are successfully enabling healthcare organisations to build healthcare solutions in the cloud rapidly. It is transforming the old way of working and enabling easy and standardised data exchange between healthcare applications and solutions.

This has allowed data sitting in legacy systems to be utilised by healthcare professionals. It enables highly scalable, enterprise-grade development environments for building clinical and analytics solutions securely in the cloud.

However, the transition from on-premises to the cloud won’t ever involve the entire healthcare sector. There are many stringent regulatory requirements that mean that PII data must be kept on certain systems. In addition, some legacy systems are just not viable from a cost perspective to migrate from on-premises.

API security has become a priority

API security has emerged as a key priority for protecting vital healthcare systems. However, it is also an area where many companies lack expertise. API security testing in healthcare is challenging because, as we know, organisations are required to work in a confined box and a heavily regulated environment.

It means everything has to be thoroughly tested with strict controls in place. Questions need to be asked about what data is being exposed. Also, what the healthcare provider is planning to do with the data. Of course, the provider deals with the same technical challenges every enterprise faces. However, the impact is much more severe because of the sensitivity of the data, the fines involved, and, most importantly, the impact this might have on someone’s health.

Understanding the use case for the API informs the testing

As requirements for health data grow, providers must prioritise API security and data privacy to prevent threat actors from easily manipulating APIs. This is where discovery is imperative. Finding specific datatypes in API requests and responses is critical to understanding what type of data is being transferred, how it is being done, and whether the process is authenticated and secure. Providers also need to understand whether the appropriate API testing is being carried out as the use-case for the API informs the testing.

Healthcare organisations must maintain accurate API inventories and ensure authentication is in place. Inventories should go well beyond a count of APIs. They should start to include security characteristics of APIs, notably which APIs return sensitive data.

Security teams should also test systems with protected health information (PHI). To be effective, such testing should include collaboration between AppSec and DevOps teams, integrating testing capabilities in developer tools as frictionless as possible. Likewise, organisations should prioritise patching systems quickly to avoid exploitation.

New advancements in healthcare technology will drive more data points

The UK government has committed to building 48 new hospitals by 2030 and driving transformation and new healthcare technology advancements. Interoperability, with all data accessible from one place in real-time, is central to achieving these transformation goals, delivering more facts per patient per decision.

To put this into context, in 1980, a healthcare professional had about 10 facts per patient per decision. In 2020, this rose to about 1,000 facts per patient per decision. APIs will be critical to delivering the interoperability that will power this data-driven decision-making, but more importantly, API security will be key to keeping patient data safe.

Noname Security is the only company taking a complete, proactive approach to API Security. Noname works with 20% of the Fortune 500 and covers the entire API security scope across three pillars — Posture Management, Runtime Security, and Secure API SDLC. Noname Security is privately held, remote first with headquarters in Palo Alto, California, and an office in Tel Aviv and Amsterdam.


Please enter your comment!
Please enter your name here