Healthcare Apps and Patient Portals are Under Attack

August 2, 2022

Ed O'Connell

Post Featured Image

The rise of healthcare applications and digital services has ushered in an era of greater visibility and interaction between providers and patients. Patients now have on-demand access to critical information such as medical records, test results, and medications. Providers can communicate with patients in real-time from remote locations, answer questions, and share data via web-based and mobile platforms. Many of these notable improvements in both preventative and reactive care can arguably be attributed to the evolution of application programming interfaces, better known as APIs.

APIs provide the necessary interoperability for data to be shared regardless of how EHR systems represent or store data internally. This means that if you should ever become ill on vacation abroad, the local doctor could easily have access to critical information needed to assist you.  Just think, for every care-related data request there is likely an API call to a third party data source. Like to a radiology department server for a patient X-ray, or to a financial institution for blood testing payment. Almost every digital care-related interaction is facilitated by an API.

Unfortunately, this innovation doesn’t come without potential consequences. Due to the wealth of data that is readily available, healthcare applications and patient portals are a significant target for hackers. A recent write-up by Marianne Kolbasuk in Bank Info Security confirms this. But her findings and recommendations completely ignore APIs entirely. This oversight is serious. To make matters worse, APIs are deployed faster than they can be secured. Which means many APIs are often deployed with design flaws and misconfigurations because they haven’t been adequately tested for security gaps. Oftentimes, either there aren't enough security personnel who know how to test APIs, the number of APIs are growing faster than the security team can keep up with, or the existing security tools lack adequate coverage. Any one of these three scenarios can spell disaster for your environment.

Even in the event that your teams are security testing APIs, when you test also plays a major role. Testing APIs early in the development process enables developers to find and remediate vulnerabilities before they reach production. By doing so, developers increase the amount of secure code they introduce while reducing the amount of application design errors that could potentially be exploited. One thing to reiterate here however, is that these are security related tests and not performance based tests like SAST and DAST tools. In order to have DevOps properly develop secure APIs, DevOps should complement their SAST/DAST testing with security testing for appropriate authentication and operational configurations. 

Easier said than done, right? Well not really. Noname Security offers the only unified API security platform that includes automated testing across the full API lifecycle. Our Active Testing solution leverages contextual data (via traffic and configuration) to produce definitive testing. By moving security testing earlier in the development cycle, we empower healthcare organizations to reduce significant manual effort, reduce operational costs and increase efficiency. And with complete documentation of the process, it eliminates finger-pointing regarding testing APIs before release into production. 

Discover how Noname Security provides proactive API security testing, while driving cross-functional operational alignment to accelerate risk mitigation visit: nonamesecurity.com