APIs in Healthcare

Healthcare is digitalizing rapidly; it’s an irreversible process. And it may not be obvious, but APIs play a central role in this digitalization.

APIs give the healthcare industry great new power. But with great power comes great responsibility. We must fully accept this responsibility and everything it entails. And that everything comes down to doing all we can to secure APIs in healthcare.

Here, you’ll learn why APIs are crucial in the healthcare industry, how vulnerable APIs lead to great danger to sensitive patient data, and what you can do to protect APIs in healthcare. Without further ado, let’s get to it.

APIs in the Healthcare Industry

APIs are the unsung, behind-the-scenes heroes of today’s digital revolution in healthcare. They act as both data translators and data exchangers.

APIs translate to and exchange data in cross-application format, mainly JSON and XML. Two applications only need to know how to call an API to interchange information, regardless of the original format of the stored data.

Medical and pharmaceutical organizations store patient data differently in unconnected systems. APIs enable them to link these systems and work with all the available information to create comprehensive patient profiles. Regardless of where, how, and in what format the data was stored, APIs create bridges of communication between siloed systems.

In more specific terms, some of the current and potential use cases for healthcare APIs are the following:

• APIs enable EHR (electronic health record) systems to talk to pharmacy databases, allowing organizations to check patients’ health service and medication coverage.
• APIs let EHR systems connect with wearable technology devices for remote patient monitoring.
• APIs simplify medication orders and refills.
• APIs make it possible to automate the scheduling of doctor appointments and medical billing.
• APIs allow different healthcare providers to share patient information for better, comprehensive service.
• APIs ease the development of new features, ensuring that telemedicine companies offer scalable software that evolves together with clients’ needs.
• APIs make the sharing of diagnostic information in real time achievable.
• APIs can be immensely helpful in electronic case reporting (ECR) to government agencies.

Internal, external, and third-party APIs play different roles in healthcare:

• Internal APIs enable hospitals to consolidate patient data from different departments, thus increasing data visibility.
• External APIs allow outside parties, including patients, to access protected medical data. They also enable CDS (clinical decision support) systems to integrate with EHRs and ease point-of-care testing.
• Third-party healthcare APIs increase interoperability. They make it possible for medical institutions to exchange data with partners for patients’ benefit. Fitbit, Apple Health, and similar apps are all possible thanks to third-party APIs.

APIs make the healthcare industry unequivocally patient-centric and have the potential to elevate collaboration and innovation to an unprecedented level through:

• Active and convenient user involvement so patients can switch between different services and move data, update records to provide critical new information, and more
• Mobile and web application development
• Cost-efficiency of integrated data and services

Common standards are necessary to accelerate healthcare innovation and progress through APIs. One such standard is FHIR (fast healthcare interoperability resources). FHIR-based APIs guarantee uniform work principles, meaning more opportunities for open data exchange.

FHIR APIs deliver patient records as identically structured resources, removing obstacles to widespread data accessibility. Their globally growing adoption is a promising sign for the industry’s future.

Healthcare API Security Incidents

In 2020, the healthcare industry saw a 400% general increase in API traffic. In 2021, the numbers went even higher—a 941% increase.

Unfortunately, in parallel with the rise in API use, healthcare organizations have also experienced a rise in API cybersecurity incidents, making API insecurity a grave concern.

A 2023 study noted a 9% increase—from 70% to 79%—in API security incidents compared to 2022. The top attack vectors were network and web application firewalls and API gateways, along with shadow and zombie APIs. These findings only re-emphasized the need for specialized API security solutions.

Hacking 30 Mobile Health Apps

In 2021, one of the most prominent API ethical hackers, Alissa Knight, set on a journey of hacking 30 API-reliant mobile health applications. And she did. She hacked them. But ethically.

The results were devastating. Alissa discovered that:

• 77% of the applications contained hard-coded API keys, tokens, private keys, usernames, and passwords. The API keys included those for Google, Amazon AWS, Facebook, Microsoft App Center, Cisco Umbrella, and Salesforce.
• 114 hard-coded API keys served as authentication mechanisms for mHealth (the company) and third-party APIs.
• 50% of the tested APIs allowed unauthorized access to patients’ pathology, X-ray, and clinical results, as well as admission records.
• 50% of the leaked patient records included extremely sensitive information, such as social security numbers, allergies, and medications.
• 100% of the APIs suffered from the Broken Object Level Authorization (BOLA) vulnerability, allowing the ethical hacker to gain unauthorized access to patients’ PII (personally identifiable information) and PHI (protected healthcare information).
• 50% of the APIs didn’t use authentication tokens.

Exploitable Vaccination Portal

The same year, another security researcher/ethical hacker discovered that Ireland’s Health Service Executive’s (HSE) vaccination portal suffered from a misconfiguration that would allow him to access the sensitive information of more than a million Irish residents.

The main problem was that the portal was inadvertently configured to grant excessive permissions to any registered user. Thus, technically, any user could access internal HSE documents as well as vaccination administration information containing the PII and PHI of other users.

We said “technically” because there was an obstacle to this unrestricted access. The user interface would show only the data that belonged to a particular user. The GUI stood as a wall between your and others’ information so you could see only your own.

However, the ethical hacker used an API to bypass this obstacle. Since the portal was built upon the Salesforce Health Cloud, the Salesforce Aura API would allow access to Health Cloud objects and, by extension, sensitive information of other registered users.

The endangered sensitive user data included:

• Full name
• Vaccine type
• Reason for administering or refusal of vaccination
• Vaccination date, location, and administration site

Vulnerable Health App

More recently, in 2024, yet another ethical hacker disclosed an IDOR (insecure direct object reference) vulnerability in an API endpoint in Glow—a fertility calendar, period tracker, and ovulation calculator.

IDOR is a vulnerability that lets unauthorized actors access or alter objects by exploiting user identifiers in URLs. And that’s precisely what the ethical hacker did.

The vulnerable API endpoint included a user ID in the URL, so the hacker tried to change the identifier to access another user’s information. And he succeeded. Since the API didn’t have a rate limitation, he could make unrestricted requests and retrieve the data of any user he wanted.

Even worse, the API returned much more user data than it should have—an example of excessive data exposure. And the worst part was that the API was publicly accessible, so any regular user with enough knowledge and curiosity could have done what the hacker did.

The vulnerable API allowed the ethical hacker to access the personal data of the entire base of 25M Glow users. The exposed user data included:

• First and last name
• Birth date
• Age range
• Location
• User ID
• Images

Equixly or How to Protect Your Healthcare APIs

Since user data is among healthcare’s principal and most valuable assets, this industry is under the continuous threat of a data breach. To protect your organization from this threat, you must know:

• Your API landscape
• Which endpoints transmit sensitive data

Equixly helps identify shadow APIs by scanning all your APIs, looking for hidden and dormant API endpoints, and reporting the results. The objective is to allow you to create a thorough API inventory and properly manage your endpoints since you can only protect what you know is there.

It helps with the second point by generating reports containing information on which API endpoints operate with credit card numbers, personal user information, and similar sensitive data. The purpose is to let you correctly classify data—a fundamental requirement for a strong API security posture.

The generated reports also allow you to meet compliance requirements by providing proof of your API security status and your efforts to protect sensitive patient data through scanning, testing, and appropriate remediation.

Considering the strict compliance demands such as GDPR and HIPPA, Equixly’s plain reporting model makes the API security platform a valuable ally in your endeavors to guarantee a better and safer future for everyone in healthcare.

What Can an AI-Powered Hacker Do for Healthcare APIs?

Equixly is a purpose-built API security solution. It’s important to stress this because the practice has shown countless times that generic web application security solutions, such as WAFs (web application firewalls), fail to protect APIs.

More precisely, Equixly is an AI-based API security testing platform specializing in penetration testing and ethical hacking or an AI-powered (ethical) hacker.

As the examples of disclosed API security incidents in one of the previous sections imply, most API vulnerabilities in the wild are discovered thanks to the tireless work of ethical hackers and security researchers.

Equixly follows the same tested-and-proven principles of work and accomplishes the same objectives as human ethical hackers and security researchers.

However, there’s a significant difference: As an automated API testing solution powered by artificial intelligence, it can process mountains of data and complete tasks much faster and more efficiently than manual testing.

Another distinct advantage of Equixly is that it’s developed to integrate frictionlessly into your SDLC (software development life cycle), so you can test your APIs while they’re still in development.

This better-safe-than-sorry proactive approach allows you to catch crept-in security flaws before they’ve become full-blown exploitable vulnerabilities. Equixly is the shift-left philosophy in action.

Apart from development, Equixly can run at any given time, as often as your APIs need. It tests your APIs thoroughly, looking for traces of the OWASP Top 10 API Security Risks, including broken authentication and authorization, unrestricted access to sensitive business flows, improper inventory management, et cetera.

Final Thoughts

Healthcare, by its nature, is one of the most vulnerable industries. That is due to the extremely sensitive data it operates with daily. It’s not just personal information but personal health information at stake here.

As healthcare progresses to a new era of digital transformation made possible by APIs, API security emerges as an imperative. On the path to that future, nothing guarantees calm waters. But with a purpose-built API security solution as your ally, at least you know someone always has your back

Download Equixly’s Healthcare brochure:

Accept the Privacy Policy Receive the brochure

Carlo De Micheli

Director of Product Marketing

Carlo is a versatile professional with extensive international experience. His enthusiasm for innovation extends across cybersecurity, automotive, and aerospace, where he actively engages in pioneering projects. Holding a technical background in aerospace engineering and supplementing it with independent studies in programming and security, Carlo has organized and presented at international conferences and established tech startups related to the sharing economy and fashion before embracing marketing and sales.

Zoran Gorgiev

Technical Content Specialist

Zoran is a technical content specialist with SEO mastery and practical cybersecurity and web technologies knowledge. He has rich international experience in content and product marketing, helping both small companies and large corporations implement effective content strategies and attain their marketing objectives. He applies his philosophical background to his writing to create intellectually stimulating content. Zoran is an avid learner who believes in continuous learning and never-ending skill polishing.