API Security Trends: Healthcare Sector
The API Security Disconnect API Security Trends in…
Application programming interfaces, better known as APIs, link unrelated platforms so data can flow freely between them. And in order for providers to share patient health data across different systems, APIs must be produced at rapid speed and maintained with diligence to foster interoperability.
However, this innovation comes with a catch. The more APIs an organization uses, the greater opportunity for risk they face in both performance and security. Exacerbating these concerns is the idiom of the weakest link on the chain; if a single API fails, interoperability breaks apart.
In light of the high stakes involved with this emerging work, we’ve just released our 2023 API Security Trends report. Similar to last year’s research, we’ve surveyed over 600 CIOs, CISOs, CTOs, and senior security professionals from UK and US-based organizations across six industries. 102 of these respondents were from healthcare organizations. With that said, this blog will highlight some of the key areas of concern for healthcare institutions based on our research findings.
In 2023, Noname Security conducted research regarding data security within six specific sectors; healthcare, financial services, retail and eCommerce, government and public sector, manufacturing, and energy and utilities. Among these fields, healthcare posted the biggest growth in security incidents year-over-year relative to 2022 (nine percent) and tied for second in highest likelihood of a security incident occurring (79 percent). Despite these glaring findings, 91 percent of survey respondents said they are confident in their current tools, highlighting a blind spot for risk within the industry. The most common and impactful targets of flaws and attacks are as follows:
Attackers continue to test the systems’ primary line of defense, but their method has changed in response to adjustments within the industry. While network firewalls were far and beyond the most identified attack vector, web application firewalls shot up the ranks to second place followed by API gateways. This knocked authorization vulnerabilities from second to fourth place, highlighting attackers’ focus on the application side of the house.
Healthcare officials are paying more attention to these issues than they have in the past, but are still leaving the door open to attacks. 60% of survey respondents reported only having a partial view of API inventory or no idea which APIs turn sensitive data. This is a 14% improvement over 2022, but underscores the slow speed at which the industry is grasping, and acting on, the gravity of API and interoperability security.
When patients expect their medical professional to understand their full medical history at their first visit, they are unconcerned by which provider in their journey to this point has done their due diligence to produce, share and protect their data. It is critical that providers feel and take ownership of their data systems and the APIs to prevent the following consequences of faulty programming and lack of reliable interoperability:
A security breach in a healthcare organization’s APIs hurts just about every area of its operations. A sector-leading 55% of healthcare-affiliated respondents cited loss of productivity because of malicious incidents. Fees for solutions and fixes were associated with 52% of incidents, and 44% led to a reputational hit with customers.
Governmental policy is often developed and deployed in response to a market phenomenon that’s long been underway. API security in the healthcare industry is no exception. As data is shared across systems and companies, regulatory statutes like GDPR and PII are imperiled.
27 percent of those surveyed did not report help from their API partners in compliance with these issues, creating an administrative burden with grave consequences for failure. Such concerns will only grow in future years as the sector continues its shift toward cloud-based data storage that breeds broader access to sensitive information.
Noname Security is keeping tabs on, and working alongside, leaders in addressing API security concerns within the healthcare sector. The specific, unique challenges and opportunities within the industry require targeted solutions that respond to regulatory, consumer and interoperability needs and concerns. Here are a few ways the aforementioned issues are being confronted as the burgeoning field of healthcare data management APIs begins to explode:
The market has begun working to fill the gap in reliable, recognized standards for API security across healthcare systems. Groups like Health Level Seven, Fast Healthcare Interoperability Resources (FHIR), and Digital Imaging and Communications in Medicine have flown out of the gate with advances in standard development for other organizations to emulate and pursue. Their work’s accessibility speaks to the root of the issue itself; healthcare organizations can no longer operate in silos and must fully align practices possible while maintaining their clinical identities.
As new players emerge in the healthcare sector, interoperability will be a necessity in their organizational development. For legacy systems, the clock cannot be spun back to design a foundation that meets these challenges. FHIR has taken a leading role in this area, focusing on expanding interoperability across a wide variety of devices that allow third party application providers to develop the APIs these systems need to connect with other companies in this evolving climate.
Traditional organizations once had the filing cabinet as their hub of institutional knowledge. The cabinet became the shared drive. Now, that drive lives on the cloud, creating true access to information not only across disparate locations, but disparate organizations.
Public cloud providers, like Google Cloud and Microsoft Azure, are emerging as key players in this industry-wide shift toward interoperability. Standardized data exchanges require cloud-based data storage, and healthcare organizations adopting this model are better positioned to develop, consume, and secure APIs.
The good news about the seismic shift toward interoperability within the healthcare sector is that one need not be an API developer, or a front desk administrator, to understand where the market is taking our data procedures. The patients of this digital era can easily grasp the fact that every medical office is expected to communicate with each other to create a continuum of service. This is impossible without secure APIs.
Click here to download the full report – 2023 API Security Trends for Healthcare.