The silent killers in digital healthcare
As digital transformation revolutionizes the healthcare industry, its use of API (application programming interfaces) technology is skyrocketing.
By Chris Bowen | HelpNetSecurity | Published April 25, 2023
APIs, which help users and apps interact and exchange information, are essential tools for healthcare systems striving to achieve greater interoperability. The ability to rapidly and securely transmit data between patients and providers offers the opportunity to not only create better patient experiences, but also improve health outcomes.
But as APIs become increasingly common in the digital healthcare landscape, it’s hard not to notice a troubling trend — API vulnerabilities are becoming so massive you could drive a truck through them. And it seems the bad guys are the only ones aware of these vulnerabilities as they exploit them left and right.
API-related breaches cost more than just time and money: organizational reputation is at stake and, above all else, the personal dignity of victims who have their most personal health information exposed. Healthcare organizations must stop treating API security like an afterthought and architect their APIs with security and compliance as core guiding principles from the outset.
Recent API data breaches: Causes and effects
Cybercriminals are relentless. I see news about sensitive patient data being leaked almost every day. Pick your headline to choose from: “Healthcare provider warns 4.2 million people of a data breach,” “With 385 million patient records exposed, cybersecurity experts sound alarm on breach surge,” “Healthcare Service Announces Data Breach Affecting Patients’ Social Security Numbers and Protected Health Information.” The list goes on and on and grows longer every time I look.
These risks mean that good people working as cybersecurity professionals to protect healthcare companies must work to stay one step ahead of the attackers. We must design secure API technologies proactively, and the government needs to pursue cybercriminals just as they would any other type of criminal. When a malicious actor can shut down a hospital’s IT systems and jeopardize patient safety, they put lives at stake. And until the government can exact consequences against the attackers that are painful enough to dissuade future breaches, defenders will always be one step behind attackers.
Cyber thieves have taken advantage of API vulnerabilities to execute many high profile healthcare breaches, including the Optus data breach that affected over 11 million patients last year.
Examples of common API-related risks include DDoS attacks, data injection attacks, lack of encryption leading to sniffing attacks, broken functions in authorization and authentication, undocumented backdoor APIs, and old APIs no longer in use (“zombies”).
Implement API security by design
Protecting against API breaches requires adopting the principles of API security by design. Technical leaders need to approach API design with security top of mind, rather than as an afterthought.
Some of the core principles we need to see more of in healthcare cybersecurity include:
- FHIR (Fast Healthcare Interoperability Resource) compatibility and standard interface conformity, which provide the framework for facilitating standardized, seamless, and secure information exchange.
- Trusted connectivity—APIs must only connect to trusted users and apps.
- Data visibility limitation controls, which allow for control over who and what systems access APIs and when they are permitted to do so.
Other protections, such as a firewall, can amplify these efforts to limit access to APIs to trusted users. Additionally, implementing core search criteria and publicly available documentation can help create stronger APIs that the bad guys will fear. Technical leaders designing APIs can also keep hackers out by striving to have the least possible number of necessary data pulls.
As APIs become increasingly common ways to connect different systems and networks, API vulnerabilities will only proliferate if we don’t take on the responsibility of proactively improving our cyber defenses.
Cybercriminals vying to exploit these vulnerabilities are lurking in every crevice of the digital world, ready to find a way in. Technical leaders in the healthcare industry must be prepared to take offensive action and invest resources in designing more secure APIs to protect patients and their data and stay ahead of the bad guys.