Making APIs in healthcare more secure

Written by Filip Verloy, Technical Evangelist EMEA, Noname Security

Demand for healthcare services continues to accelerate at pace, heightened in the last two years by the pandemic and the knock-on effect of delayed operations and treatments, all of which is challenging the NHS. Healthcare technology innovation and the digitisation of worldwide healthcare services is seen as the way to overcome many of these challenges. Consequently, the UK Government is investing in growing capabilities in areas such as AI, machine learning, and more broadly around data-driven healthcare to make it more accessible, affordable and sustainable.

However, with patients’ increasing expectations around the quality and safety of such services, and ever-growing complex regulations that demand stricter governance, this is no easy task.

 

Protecting sensitive data

While digitising services and sharing data across health systems is the way forward, personal identifiable information (PII) is incredibly sensitive, and when it comes to disclosing healthcare records, this data must be treated appropriately. Today, NHS Trusts have a multitude of medical systems sharing information within hospitals, as well as connecting to external healthcare providers. Combine this with the demand for personal health and wellbeing devices, whereby citizens have the ability to add data to their own personal health profile, and you can see how growth in health data is exploding.

However, the increase in health trackers that monitor fitness, sleep patterns, heart rate, respiration, as well as other vital signs of health status, have resulted in a fragmented view of consumer data. Additionally, acquired data can be used in a variety of ways: privately; to contribute to clinical databases; or for research. This not only introduces additional complexity in data aggregation but also in how data is accessed, stored and secured.

Interoperability is the key and has become the watchword as the industry coordinates care for patients across a large and growing subset of players. This is where Application Programming Interfaces (APIs) have become a critical component, allowing systems to communicate with each other, closing the gap on how information is utilised. The philosophy being that all systems are integrated, work together in a compliant way, and any sensitive data is secure, in the event of a breach.

 

Challenges include custom-built APIs and siloed technologies

Unfortunately, due to a multitude of technological gaps, this is not always the case. Likewise, there has been a lack of data standards across the sector and multiple siloed technologies. This means custom APIs must be created to accommodate the needs of the service it is providing for each system, which is time-consuming because API management is onerous as systems are upgraded and replaced.

As a result, the number and complexity of APIs continues to grow. Analyst firm Gartner predicts that APIs will become the most common attack vector in 2022. According to 451 Research’s 2022 API Security Trends Report, 41% of the organisations represented by survey respondents had an API security incident in the last 12 months; 63% of those noted that the incident involved a data breach or data loss.

The good news is that today there are several global open healthcare standards; Health Level Seven (HL7®), Fast Healthcare Interoperability Resources (FHIR®) and Digital Imaging and Communications in Medicine (DICOM®). FHIR is an API-focused standard used to represent how healthcare information can be exchanged between different systems regardless of how it is stored in those systems. HL7 is a set of international standards for the transfer of clinical and administrative data between software applications used by various healthcare providers. DICOM is the standard for the communication and management of medical imaging information and related data. All of these standards help to ensure data privacy and security within strict healthcare and compliance boundaries.

 

Updates to FHIR help to facilitate interoperability with legacy systems

The most recent version of FHIR builds on previous data format standards from HL7, but it is easier to implement as it uses a modern web-based suite of API technology. One of its goals is to facilitate interoperability between legacy healthcare systems, to make it easier to share healthcare information across a wide variety of devices. This allows third-party application developers to provide medical applications which can be easily integrated into existing systems.

This addresses another important challenge across the sector, whereby many organisations are still using older technology that is not API-enabled. It is imperative that the industry moves away from local-only installed on-premises environments to more of a cloud-based model, where the health tech industry can enable APIs. Public cloud providers, such as Google Cloud and Microsoft Azure, are successfully enabling healthcare organisations to rapidly build healthcare solutions in the cloud, transforming the old way of working, enabling easy and standardised data exchange between healthcare applications and solutions. This has allowed data sitting in legacy systems to be utilised by healthcare professionals. It enables highly scalable, enterprise-grade development environments for building clinical and analytics solutions securely in the cloud.

That said, the transition from on-premises to the cloud won’t ever involve the entire healthcare sector. There are many stringent regulatory requirements that mean that PII data must be kept on certain systems or that some legacy systems are just not viable from a cost perspective to migrate from on-premises.

 

API security has become a priority

What this does mean is that API security has emerged as a key priority for protecting vital healthcare systems. However, it is also an area where many companies lack expertise. API security testing in healthcare is challenging because, as we know, organisations are required to work in a confined box and a heavily regulated environment.

This means everything has to be thoroughly tested with strict controls in place. Questions need to be asked around what data is being exposed, and what the healthcare provider is planning to do with the data. Of course, the provider is dealing with the same type of technical challenges every enterprise faces, but the impact is much more severe because of the sensitivity of the data, the fines involved, but most importantly the impact this might have on someone’s health.

 

Understanding the use case for the API informs the testing

As requirements for health data grow, providers must prioritise API security and data privacy to prevent threat actors from easily manipulating APIs. This is where discovery is imperative and finding specific datatypes in API requests and responses is critical to understand what type of data is being transferred, how this is being done, and whether the process is authenticated and secure. Providers also need to understand whether the appropriate API testing is being carried out as the use-case for the API informs the testing.

Healthcare organisations must maintain accurate API inventories and ensure authentication is in place. Inventories should go well beyond a count of APIs and should start to include security characteristics of APIs, notably which APIs return sensitive data. Security teams should also conduct testing in systems with protected health information (PHI). To be effective such testing should include collaboration between AppSec and DevOps teams, integrating testing capabilities in developer tools in as frictionless way as possible. Likewise, organisations should prioritise patching systems quickly to avoid exploitation.

 

New advancements in healthcare technology will drive more data points

The UK government has committed to building 48 new hospitals by 2030 and to drive transformation and new advancements in healthcare technology. Interoperability, with all data accessible from one place in real-time, is central to achieving these transformation goals, delivering more facts per patient per decision. To put this into context, in 1980 a healthcare professional had about 10 facts per patient per decision, in 2020 this rose to about 1,000 facts per patient per decision. APIs will be critical to delivering the interoperability that will power this data-driven decision-making, but more importantly, API security will be key to keeping patient data safe.