API Security in Healthcare: Protecting Health Data from API Attacks

The healthcare industry deals with a mountain of highly sensitive data, whether it be patient health information, insurance details, or financial information – all of which are valuable to cybercriminals. Bad actors can use this information for everything from identity theft to insurance fraud. Implementing a strong API security program is critical to protect APIs from a variety of exploits and attacks.

APIs can help providers transfer data between billing systems, electronic health records/electronic medical record (EHR/EMR) informational systems, networks, healthcare applications, and devices. By offering patients and providers the ability to more efficiently exchange health information, APIs can create the potential to improve experience and outcomes via faster diagnoses and more effective treatments.

APIs Help Improve Regulatory Compliance

Healthcare organizations are also subject to many regulations, and penalties for non-compliance are severe. HIPAA, the HITECH Act, and even GDPR affect how organizations handle and secure patient data. In the United States, providers are increasingly implementing APIs to comply with the Centers for Medicare & Medicaid Services (CMS) Interoperability and Patient Access final rule. Meanwhile, the HL7 Fast Healthcare Interoperability Resources (FHIR) standard for exchanging healthcare information electronically is gaining recognition in the health IT space. In Europe, technical specifications for health data exchange under the e-Health Digital Service Infrastructure (eHDSI) leverages APIs to connect eHealth national contact points allowing them to exchange health data. While leveraging APIs helps streamline compliance with some regulations, a stout API security program is required to ensure proper access, authorization, and to prevent misuse and fraud.

The Risks to Data Security for Healthcare APIs

However, there’s a potential API security-related and healthcare data security problem unique to the industry. Medical records contain some of the most sensitive personal information imaginable – from social security numbers and financial data to detailed health histories and medical conditions.

This valuable information his highly sought after by cybercriminals, and breach costs continue to rise. In fact, recent reports found that healthcare data breaches cost an average of $10 million per incident.

The concern is that while APIs offer many benefits in terms of efficiently transacting patient data and compliance, they also introduce a new set of security risks. Because APIs allow different applications to communicate with each other, they can be vulnerable to a variety of exploits and attacks. Even properly coded APIs are subject to attacks through business logic abuse. Some examples of data security risks for healthcare organizations due to improperly secured APIs follow.

1. Ransomware Exploiting Unsecured APIs

One of the biggest concerns for the healthcare industry is ransomware. Attackers may exploit unsecured or vulnerable APIs to conduct successful ransomware attacks, gaining access to and then encrypting healthcare data. The attackers then hold the data for “ransom,” requiring payment in return for the encryption key. Obviously paying the ransom is a massive cost, but the price of not paying the ransom and losing the data could be even worse, leading to downtime, IT and forensics costs, and brand impact.

2. Patient Data Leakage

One of the most obvious risks associated with API exploits is sensitive data exposure. If an API is not properly secured, it may be accessed by unauthorized users who can then steal sensitive information. For example, in 2019, Quest Diagnostics suffered a major data breach when an unauthorized user gained access to an API that was used to send test results to billing vendors. The breach exposed the personal and financial data of nearly 12 million patients.

3. Disruptions to Emergency Care

Denial of service attacks can also be a risk when using APIs. This can occur when an attacker floods an API with requests to overwhelm the system and prevent legitimate users from accessing it. Alternatively, remote patient monitoring devices that need to transmit data between medical equipment and providers can be hacked resulting in false alarms, or a false sense of security. These examples can lead to service disruptions and delays, which can be particularly problematic in healthcare where timely access to data can be critical.

Cequence Addresses the Whole Healthcare API Security Lifecycle

The Cequence Unified API Protection (UAP) platform helps healthcare IT security teams identify miscoded APIs. In addition, it protects well-formed APIs from bot-generated abuse by addressing all phases of the API security lifecycle. This approach eliminates unknown and unmitigated API security risks that can lead to data loss, fraud, and business disruption. Cequence UAP features include:

• Discover the organization’s public facing API attack surface: API development and deployment is often distributed across many groups, introducing the risk of unmanaged APIs. Cequence solves that challenge by regularly discovering your public facing APIs and hosting providers to provide the full picture of an organization’s attack surface.
• Centralized inventory tracking of known and unknown APIs: Cequence uses passive or inline sensors and integrates with CDNs and a range of API gateways to provide centralized visibility and inventory tracking of all the APIs deployed and managed by the respective API gateways. Unregistered or unknown APIs are also discovered, allowing security and development to migrate those shadow APIs to the respective API gateway to ensure security and governance policy consistency.
• Strengthen compliance and data governance controls to help reduce the risk of data breach: Cequence helps healthcare organizations enforce compliance and governance controls with the required or recommended proactive API risk analysis and remediation. Predefined and custom risk assessment rules help organizations teams find and remediate coding errors that introduce sensitive data handling and authentication vulnerabilities.
• Detect sophisticated API attacks to help protect patient data: As ransomware actors become more sophisticated and find ever more innovative ways to steal patient data, Cequence performs ML-based threat analysis and leverages behavioral fingerprinting to detect and track sophisticated API attacks.
• Flexible, real time mitigation responses to strengthen healthcare cybersecurity: Cequence offers native, real-time mitigation responses to API attacks include blocking, rate limiting, header injection, and deceptive responses – all without reliance on integration with third-party solutions such as web application firewalls (WAFs).

Cequence enables healthcare organizations to secure their APIs and focus on patient outcomes. Patients and providers both can reap the convenience and efficiency of access to healthcare and patient data driven by ubiquitous API connectivity. Cequence significantly improves visibility and protection against a healthcare data breach while reducing cost, minimizing fraud, abuse, and non-compliance. Get started with a free security assessment of your API attack surface.