API Security, PII, and Healthcare
When it comes to securing APIs, one of the biggest concerns is their potential to expose the personally identifiable information (PII) of users. Whether it’s an address, credit card number, or date of birth, bad actors can easily leverage PII to compromise individuals and conduct identity fraud.
As anyone would imagine, these concerns are particularly prevalent in the healthcare sector. Healthcare providers hold a lot of highly sensitive information about their patients, and if that information is intercepted and used maliciously, it could compromise patients’ access to the healthcare they need or vastly increase their chances of being defrauded.
In this article, we’re taking a closer look at the importance of API security in the healthcare sector and sharing best practices for getting it right.
The Rise of APIs in the Healthcare Sector
As the healthcare industry has become more digitized and interconnected, APIs have played an important role in sharing information between systems. There are a multitude of use cases for them: hospital billing systems get their data via APIs, as do insurance providers, governmental health institutions, and even the patients themselves.
This is a growing trend. In 2020, healthcare API traffic grew by over 400%, with an additional growth spurt of 941% in 2021. The increased adoption of digital health platforms and APIs in this space has made it easier for patients to have visibility and control over their healthcare data. However, it’s also increased the potential for cyber security attacks. With the growth of API traffic, there’s also been a steady rise in account takeovers, breaches, and malicious traffic.
The Threat of APIs for Healthcare
The truth is, the growing usage of APIs in the healthcare space spells a rich opportunity for bad actors that want to leverage PII for further attacks or sell it at a premium on the dark web. In part, this is because APIs have unique challenges when it comes to security, and many organizations in the sector aren’t fully equipped to navigate these challenges.
For starters, APIs are often unique and don’t tend to be built based on consistent standards. Not only that, APIs are also updated regularly, with one report stating that 37% of organizations update their APIs at least weekly. This means that the API landscape is constantly in flux, making it difficult for teams to stay on top of their documentation. As such, security testing and other processes are often implemented without all the information, leaving gaps open for exploitation.
APIs are also unique in that they can have business logic gaps that aren’t accounted for in design reviews or traditional security testing. These are gaps that bad actors can compromise using low-and-slow attacks that are specifically designed for each API.
In addition, many teams aren’t confident in the accuracy of their API inventory, let alone the number of APIs that expose PII. The same report indicated that only 44% of security leaders viewed the ability to identify which APIs expose sensitive information as a core capability for their team.
These qualities make it difficult for companies in the healthcare sector to effectively secure their APIs and the PII they manage — but the risk of not doing so is massive. Today, according to IBM’s Cost of a data breach 2022 report, the average cost of a data breach in healthcare is $10.10 million. That’s up 42% since 2020. These costs can include ransom payments in a ransomware attack, data recovery fees, and investing in new security tools.
The nature of the healthcare industry and its access to highly sensitive PII means that healthcare organizations operate in a highly regulated environment. As such a breach can also lead to significant regulatory penalties and additional barriers to participating in the sector.
Securing APIs in the healthcare sector
This is an exciting time for the healthcare sector: digital infrastructure is making it easier than ever for players in the space to innovate while also facilitating patient access to their healthcare information. To successfully leverage the power of APIs in this shift, companies that handle large volumes of PII need to take a comprehensive approach to their API security.
This includes:
- Having a clear and updated inventory of APIs, with a clear understanding of which APIs handle PII.
- Reducing the exposure of sensitive data by ensuring that only the requested data is shared with client apps, and nothing more.
- Adopting an automated system for identifying changes in APIs and reflecting that in the documentation.
- Incorporating business logic gaps into design reviews.
- Establish continuous authentication and authorization across all APIs.
- Investing in a robust API security tech stack that covers all your bases in development and production.
By following these and other API security best practices, companies in the healthcare sector will be better equipped to shape the future of the industry.