Protecting Cloud Apps Common in Healthcare with API Security

Protecting Cloud Apps Common in Healthcare with API Security

Anna Tang

Many healthcare information systems (HIS) applications rely on APIs to exchange data and interact with external systems. With the increasing adoption of cloud computing, the usage of APIs has grown exponentially in healthcare, making API security a top priority for health organizations. API security should be one of the first steps toward securing cloud apps because APIs are the primary entry point for hackers to exploit vulnerabilities in cloud-based applications.

APIs are the data transporters for all cloud-based applications and services, essentially enabling applications to communicate with each other and exchange data. APIs also provide access to critical services and functionality in cloud-based applications. If attackers gain access to your APIs, they can easily bypass security measures and gain access to your cloud-based applications, which can result in data breaches, regulatory non-compliance and fines, financial losses, legal issues, and reputational damage.

For hackers looking to have the best return on investment (ROI) of their time and energy for exploiting and exfiltrating data from healthcare organizations, APIs are one of the best targets today.

APIs are often the weakest link in the security chain. Developers regularly prioritize speed, functionality, features, and ease of use over security, which can leave APIs vulnerable to attacks.

Additionally, cloud-native APIs are often exposed directly to the internet, making them accessible to anyone. This can make it easier for hackers to exploit vulnerabilities in APIs and gain access to cloud-based applications commonly used in healthcare. Cloud APIs can be described in two major categories:

1. Control-plane and
2. Data-plane.

Within the data-plane of an application, there are north-south APIs (embedded within the application UI) and east-west (service-to-service) APIs that are often hidden from the end-user facing application. The fact that there are so many new types of APIs enabled by cloud services creates major architectural challenges for IT security to accurately discover, inventory, analyze, test and protect APIs today.

Healthcare APIs often handle sensitive patient data, including medical records, personal health information (PHI), and personally identifiable information (PII). The security of this data is of utmost importance, and threats can arise when transmitting data to and from cloud APIs. Exploiting heath organizations’ API vulnerabilities can lead to unauthorized data access, interception, manipulation and disruption of services.

Ensuring the privacy and confidentiality of sensitive information during transmission and storage is crucial for complying with regulations such as HIPAA and the General Data Protection Regulation (GDPR). Otherwise improperly implemented APIs may expose direct object references, allowing attackers to bypass authorization mechanisms and gain unauthorized access to sensitive patient information.

If the above warnings are not enough, here are a few more reasons to convince you why API security is so critical in cloud security.

PHI. APIs often expose sensitive data to external systems, making them a prime target for attackers looking to steal data. By securing your APIs, you can prevent unauthorized access to your sensitive data and protect it from data breaches. This is particularly important for healthcare organizations, perhaps more so than any other vertical market due to HIPAA and other regulations. And that includes securing Protected Health Information (PHI) during transmit and storage.

Hackers. APIs are often targeted by cybercriminals who use a variety of techniques to exploit vulnerabilities in APIs and gain access to cloud-based applications. By securing your APIs, you can mitigate the risk of cyberattacks, prevent hackers from exploiting vulnerabilities, and increase your cloud security hygiene.

Compliance & Audit. Healthcare organizations are subject to strict regulatory compliance requirements, including HIPAA, GDPR, and smaller regulations such as the statewide Confidentiality of Medical Information Act (CMIA) in California. By securing your APIs, you can improve compliance with regulations and avoid costly fines and legal action.

Data Breaches. A data breach can cause significant damage to a health organization’s reputation. By securing your APIs, you will help prevent data breaches and exploits on your cloud-native applications, protect your organization’s reputation and patients’ private data, and build trust within your community.

Furthermore, there are a few important recommended measures for healthcare organizations to secure their APIs, protect their cloud-based applications, and improve overall cloud security.

Auth. API authentication and authorization are critical components of API security in healthcare. Authentication ensures that only authorized users can access your APIs, while authorization controls what actions authorized users can perform. Implementing strong authentication and authorization mechanisms can help prevent unauthorized access to your APIs and protect your cloud-based applications.

Encryption. Leveraging best practices in encryption is an essential component of API security. It ensures that data transmitted between health information systems is secure and cannot be read by hackers if intercepted. Using SSL/TLS encryption for your APIs can help protect against data breaches and ensure that sensitive patient information and other private data is transmitted securely.

Inventory. Health IT teams’ common mistake is underestimating how difficult it is to get an accurate system of record of all their APIs because of the ephemeral nature of cloud services. API discovery, monitoring and logging, particularly with always-on runtime capabilities, can help detect and prevent attacks on your APIs. By monitoring dynamic API usage and traffic and logging events, you can detect suspicious activity and take action before an attack.

Vendor risk management. Healthcare organizations often use third-party APIs for various services, such as appointment scheduling and billing. They must assess the security posture and reliability of all third-party API providers before integrating into their systems. Evaluating factors such as the provider’s track record, security certifications, data protection practices, and disaster recovery capabilities are critical for minimizing software supply chain risks. Review of software bill of materials (SBOMs), as well as continuous security testing, vulnerability scanning, and code review are good hygiene practices for organizations’ third-party APIs.

Protection. Finally, API run-time protection can help prevent attacks such as broken object level authorization (BOLA), DDoS and brute force attacks. BOLA attacks strike at the heart of the business logic within an application. DDoS attacks can overwhelm cloud API resources, causing service disruptions or making them unavailable to legitimate users, affecting patient care and business operations. Adding customized checks and policies that block API requests that attempt to break business logic can help prevent exploitation. Rate limiting restricts the number of API calls that can be made within a specific time frame, while throttling limits the rate at which requests can be made – together both can help with brute force and denial of service attacks.

With these critical cloud security requirements in mind, healthcare organizations have a number of technologies at their disposal. Different than on-premises protections, securing cloud-native APIs in healthcare involves a continuous set of processes focusing on identifying, assessing, prioritizing, and adapting to risk in cloud-native applications, infrastructure, and configuration.

When it comes to securing health services APIs, Cloud Native Application Protection Platform (CNAPP) is a newer security framework that provides security specifically for cloud-native applications by protecting them against various threats, such as web-application attacks, API attacks, and cloud compute, storage, and database attacks. CNAPPs provide runtime protection, vulnerability management, threat detection, and response capabilities. They can identify vulnerabilities in API code and configurations and provide mitigation. Using a CNAPP allows healthcare organizations to implement complete end-to-end security for cloud-native environments, rather than having to stitch together multiple solutions that address specific, discrete security issues.

The strength of CNAPP is that it combines the capabilities of several important cloud security categories, including DevSecOps, Cloud Security Posture Management (CSPM), Infrastructure-as-Code (IaC) scanning, Kubernetes Security Posture Management (KSPM), Cloud Infrastructure Entitlement Management (CIEM), and runtime Cloud Workload Protection Platform (CWPP). Additional CNAPP advantages include:

  • Full-stack application visibility for security and development teams.
  • Runtime response to threats to protect and secure cloud-native apps.
  • Automated vulnerability management and cloud configuration remediation.
  • Prioritization of all security exposures on APIs, applications, data, and microservices.

In addition, CNAPP provides advanced insights that improve detection rates and reduce false positives for health organizations. These insights can be generated by correlating posture misconfigurations with workload alerts or over entitlements. CNAPP helps address these problems and more by offering a single converged tool with multiple security capabilities for applications and services, so organizations can reduce risk, overhead and operational costs.
 
When it comes to cloud security in healthcare, CNAPP is well suited for organizations with cloud-native applications, microservices, and APIs that require application-level security. API security is a must-have when building out cloud-native applications, and CNAPP offers an effective approach for this critical first step in protecting cloud applications.

Featured

  • Survey: 54% of Organizations Cite Technical Debt as Top Hurdle to Identity System Modernization

    Modernizing identity systems is proving difficult for organizations due to two key challenges: decades of accumulated Identity and Access Management (IAM) technical debt and the complexity of managing access across multiple identity providers (IDPs). These findings come from the new Strata Identity-commissioned report, State of Multi-Cloud Identity: Insights and Trends for 2025. The report, based on survey data from the Cloud Security Alliance (CSA), highlights trends and challenges in securing cloud environments. The CSA is the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment. Read Now

  • Study: Nearly Half of Companies Exclude Cybersecurity Teams When Developing, Onboarding and Implementing AI Solutions

    Only 35 percent of cybersecurity professionals or teams are involved in the development of policy governing the use of AI technology in their enterprise, and nearly half (45 percent) report no involvement in the development, onboarding, or implementation of AI solutions, according to the recently released 2024 State of Cybersecurity survey report from ISACA, a global professional association advancing trust in technology. Read Now

  • New Report Series Highlights E-Commerce Threats, Fraud Against Retailers

    Trustwave, a cybersecurity and managed security services provider, recently released a series of reports detailing the threats facing the retail sector, marking the second year of its ongoing research into these critical security issues. Read Now

  • Stay Secure in 2024: Updated Cybersecurity Tips for the Office and at Home

    Cyber criminals get more inventive every year. Cybersecurity threats continue to evolve and are a moving target for business owners in 2024. Companies large and small need to employ cybersecurity best practices throughout their organization. That includes security integrators, manufacturers, and end users. Read Now

Featured Cybersecurity

Webinars

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3