Healthcare Needs To Be Laser-Focused on API Security and Its Blind Spots
![Healthcare’s vast API attack surface [is growing] as quickly and chaotically as the Oklahoma Land Run.](/site/zh/images/blog/2024/thumbnails/edge-1080x608-1.png)
Visibility is a common challenge in healthcare. A patient may have visited an out-of-network specialist, or been vaccinated at a retail pharmacy and not in a provider’s office. They may have multiple insurance plans, or be participating in a clinical trial for which providers or payers don’t receive ongoing updates.
And then there’s the conundrum of API visibility. The healthcare continuum — and interoperability — is powered by application programming interfaces, or APIs, which are increasingly required by law. A new CMS Interoperability and Prior Authorization Rule requires payers to maintain three main categories of APIs: Payer Access APIs, Provider Directory APIs, and Payer-Provider and Payer-Payer APIs.
Patient Access APIs will increase members' access to their own medical data and likely enhance member satisfaction.
Provider Directory APIs allow members to search for healthcare providers and facilities based on their location and medical specialty, which will improve access to care.
Payer-Provider and Payer-Payer APIs can help address and reduce patient care gaps and possibly reduce duplicative and costly services.
Security gaps and hidden dangers
The burden doesn’t rest solely on payers. As the Internet of Medical Things (IoMT) grows, and digitization grows along with it, so do security gaps. Once an API has been authorized by a web application and API protection (WAAP) product, security teams often have no visibility into its use within healthcare and life sciences organizations.
What does that mean? Not only must these organizations’ security teams manage a large volume of legacy technology (73% for provider groups, according to an HIMSS survey), but also a burgeoning ecosystem of mobile health (mHealth) apps and adjacent health and wellness apps. This ecosystem has hidden dangers.
Previous API incidents — and predicted future incidents
One mental health app recently exposed 78,000 of its users' email addresses and one cybersecurity researcher was able to access more than 4 million patient and clinician records with a single patient login account.
A popular at-home fitness brand made the news when another security researcher flagged an exposed API for user account data that let anyone online access users’ ages, genders, cities, weights, and workout statistics — and in many cases, details that are supposed to be hidden when user profiles were set to private.
Malicious actors are aware of such gaps, and they are increasingly shifting to abusing healthcare’s vast API attack surface as quickly and chaotically as the Oklahoma Land Rush. In 2022, Gartner predicted that API abuse and data breaches would nearly double by 2024.
Akamai’s data shows that the IT research company’s assertion was well-founded: A new white paper reveals that the number of daily web application and API attacks against the healthcare industry rose significantly in 2023.
APIs can enhance interoperability, the patient experience, and organizational resilience
It’s imperative to act now to protect healthcare interoperability, the patient experience, and your organization’s resilience.
APIs promote healthcare interoperability
Open API environments — like electronic health record system marketplaces that include add-on solutions for capabilities like patient scheduling, virtual care, and remote check-in — offer tremendous clinical and financial benefits. By using API-powered tools, providers can increase appointment volume and enhance patient access to services, for instance, but these tools also introduce risk.
From a compliance perspective, potential API sprawl is harder to avoid. U.S. law now dictates that patients — not those delivering or paying for their care — own their own data, making them the center of their own ecosystem. Paradigms have shifted to promote interoperability, requiring providers, payers, life sciences organizations, and healthcare IT organizations to undergo often-costly innovations.
The ultimate benefits are significant. For instance, providers with access to each others’ or payers’ data can reduce medication interference or cut down on expensive duplicative care.
The impact of APIs on the patient experience
In addition to the quantitative benefits, there are myriad qualitative ways in which patients benefit from the use of APIs to exchange data. Imagine not having to repeat your medical history in an appointment so there’s more time to address your current condition with your provider. Or have your vital signs and other health information taken remotely and sent directly to a care team instead of having to drive to an in-person visit.
At the very least, the Information Blocking Rule requiring FHIR APIs means that patients should now be able to access all their health records digitally without having to petition for access and wait for weeks — if not months.
How APIs enable organizational resilience
In a world in which healthcare data sharing increases profitability, APIs — and the protection of them — is pivotal to success. A core tenant of organizational resilience is financial health, and the fiduciary benefits reaped by provider groups, payers, and beyond can be reinvested in their organizations’ innovation plans for the long-term health of their businesses.
Other core tenants of the organizational resilience framework are information security and compliance. Previous API incidents surrounding mental health and mHealth apps only underscore the need for stronger information security. And for truly innovative and resilient organizations, working proactively, not reactively, on many fronts is key.
Act now
There are currently no laws surrounding API security in healthcare and life sciences. However, proactive adherence to data-sharing frameworks like the Trusted Exchange Framework and Common Agreement (TEFCA) means that there will be no desperate racing to meet compliance requirements à la the Oklahoma Land Rush.
Learn more
Learn more about how Akamai partners with healthcare and life sciences organizations to enhance their security programs. And read more about API security in the How to Advance Healthcare and Life Sciences with Robust API Security white paper.
