API Security Risks: A closer look at healthcare’s growing concerns  

API Security Risks: A closer look at healthcare’s growing concerns  

Twelve months on from Noname Security’s last survey we can see that APls continue to pose significant risks to businesses around the world. Noname Security undertook its API Security Disconnect research again in 2023 and the results highlighted that this is the year when these risks are becoming so apparent that companies can no longer ignore them. In this study, Noname Security examines the challenges facing organisations when it comes to API security.  

Research respondents were segmented by country, role type and vertical. We saw 631 respondents from UK and US-based organisations take part including CIOs, CISOs, CTOs, senior security professionals and AppSec teams from a range of industries. Of these respondents, 102 were from healthcare organisations. Here is an overview of the key findings in that sector.  

Interoperability has become the watchword for the industry. 

Today, healthcare providers have a multitude of medical systems sharing information within hospitals, as well as connecting to external healthcare providers. Combine this with the demand for personal health and wellbeing devices, whereby citizens can add data to their own personal health profile, and you can see how growth in health data is exploding.  

Consequently, interoperability has become the watchword as the industry coordinates care for patients across a large and growing subset of players. This is where Application Programming Interfaces (APls) have become a critical component, allowing systems to communicate with each other, closing the gap on how information is utilised. The philosophy being that all systems are integrated, work together in a compliant way, and any sensitive data is secure in the event of a breach.  

Unfortunately, due to a multitude of technological gaps, this is not always the case. Likewise, there has been a lack of data standards across the sector and multiple siloed technologies have been deployed. This means custom APIs must be created to accommodate the needs of the service it is providing for each system, which is time-consuming because API management is onerous as systems are upgraded and replaced.  

The good news is that these days there are several global open healthcare standards; Health Level Seven (HL7®), Fast Healthcare Interoperability Resources (FHIR®) and Digital Imaging and Communications in Medicine (DICOM®). FHIR is an API-focused standard used to represent how healthcare information can be exchanged between different systems regardless of how it is stored in those systems. HL7 is a set of international standards for the transfer of clinical and administrative data between software applications used by various healthcare providers. DICOM is the standard for the communication and management of medical imaging information and related data. All these standards help to ensure data privacy and security within strict healthcare and compliance boundaries. 

Moving forward the need to move out of silos, to collaborate more with multiple providers and to continue to digitise and transform services, means healthcare providers are more dependent on APIs than ever.  

 So, how did our healthcare respondents fare in our second annual API Security Disconnect survey?  

API Security incidents are growing for healthcare organisations  

Of the six different industry sectors surveyed in 2023, Healthcare witnessed a 9% increase in API security incidents compared to last year. It was the second most likely industry to have experienced an incident at 79%, with manufacturing the least likely at 73%.  

Healthcare respondents identified network firewalls as the top attack vector (27%). Last year the top attack vector for this cohort was authorisation vulnerabilities, with 23%, this dropped to 15% in 2023. This year web application firewalls were in second place with 19%, followed by API gateways and Dormant or Zombie APIs, with both being 16%.   

With the high frequency of attacks, it was interesting to note that visibility appears to be better now than it was a year ago, with 40% of healthcare respondents saying that they have a full inventory and know which APIs return sensitive data. Over half, (60%) admitted to only having a partial view of inventory or a full inventory but no idea which APIs return sensitive data. This compares favourably to the 72% of respondents who reported a lack of visibility last year, with only 28% having a full inventory of APIs and knowing which returned sensitive data.   

The API security testing disconnect, first revealed in our 2022 research, is evidenced in the gap between real-time/testing at least once per day, and the corresponding number of API security incidents. The good news is that this gap has closed slightly, with the cadence of testing APIs for vulnerabilities increasing in the financial services sector with real time testing jumping from 8% in 2022 to 15% in 2023 and 37% saying they are testing at least once a day, which compares favourably again to the 30% that said this last year. This shows that this sector is starting to really understand the criticality of API security testing with 52% either testing in real-time or at least once a day, which is a marked improvement on last year. However continuous testing is essential to eliminate vulnerabilities and real-time testing must continue to improve.