Healthcare is no longer just about treating the sick; it’s about safeguarding their most personal information. Unfortunately, today, a slew of threats target this sector, including ransomware, phishing, API vulnerabilities, and the significant complexities of securing interconnected systems and supply chains.
So said Nuno Loureiro in his opening remarks during yesterday’s Probely webinar, “Unveiling Hidden APIs and Securing Vulnerabilities in the Healthcare Sector.”
The conversation opened with Errol Weiss from Health-ISAC, discussing the common threats and ongoing challenges in the healthcare sector. He said ransomware remains one of the most pressing threats in healthcare. With attackers leveraging social engineering techniques, such as scare tactics, phishing, and exploiting minor breaches, ransomware campaigns are growing in sophistication. The sensitive data at risk in healthcare, such as patient records, makes it a lucrative target for malefactors.
Despite decades of awareness, phishing continues to be a persistent threat. Phishing schemes have evolved and preyed on the complexity of healthcare’s digital ecosystem. Weiss also emphasized the security challenges posed by legacy devices and outdated systems. Many healthcare organizations continue to use older, unsupported medical devices that are still connected to the network. These devices are costly to replace, making them an ongoing vulnerability.
He also explained how poorly configured networks contribute to these vulnerabilities, with improper security settings, such as weak multi-factor authentication policies, further exacerbating the risk. Despite some improvements in security maturity, healthcare lags behind industries like financial services, partly due to historical underfunding and the focus on privacy rather than security during the healthcare digitization wave of the 1990s.
Weiss argued that compliance-driven security has also been a hindrance rather than a help. In the U.S., the big push was patient privacy, not necessarily security. Regulatory frameworks like HIPAA enforced a “checkbox” mentality, where organizations focus on meeting minimal compliance requirements rather than addressing real security risks. This “checkbox security” has led to situations where critical issues, such as network vulnerabilities and API security flaws, remain undetected.
Unveiling API Vulnerabilities in Healthcare
Next, Weiss discussed how API vulnerabilities have become a significant concern as digital health systems expand. Unlike traditional web applications, APIs are often invisible, lacking a user interface and search engine indexing, which means both developers and security teams can easily overlook them. APIs are designed for communication between applications and are more likely to lack robust security measures.
This problem is amplified in healthcare due to specific industry conditions. For instance, the demand for interoperability, driven by federal regulations in the US, has led to the deployment of APIs that allow patients to access medical records and healthcare providers to share information. While this improves healthcare access and efficiency, it also increases the attack surface, exposing more APIs to potential exploitation. API connections between payers and providers, or even between payers and other payers in the insurance industry, further expand the risk of data breaches.
One example Weiss shared during the webinar was Peloton’s API vulnerability. The API in question exposed sensitive user information, such as workout data, ages, genders, and location, which, although intended to be private, was available for anyone with knowledge of the API to access. This case serves as a cautionary tale for healthcare providers, illustrating the types of data that could be exposed if API vulnerabilities go unnoticed.
Identifying and Addressing API Vulnerabilities
Probely’s Loureiro then shared some tips on identifying and addressing API vulnerabilities. He says securing APIs begins with understanding their full scope within an organization. Asset discovery is a foundational step in protecting APIs. Organizations must map out all APIs, assess what data they access, and ensure security measures are in place. This process is critical in healthcare, where hidden APIs are common and the attack surface is extensive.
Once APIs are identified, Loureieo said healthcare entities need to conduct security assessments regularly. This includes penetration testing, vulnerability scanning, and red team exercises designed to stress-test API security. These tests should go beyond the compliance checkboxes and focus on real-world vulnerabilities.
Louriero added that continuous monitoring is also key to detecting anomalies. Organizations can identify suspicious activity by tracking API usage and setting baselines for normal traffic, such as repeated queries from a single address. This proactive approach enables healthcare providers to detect malicious behavior early, potentially before sensitive data is accessed or exposed.
Best Practices for Securing Healthcare APIs
Probely offered several tips for securing healthcare APIs.
- Implement an API Gateway: An API gateway is a protective layer between external users and the backend API infrastructure. It enforces access controls, such as authentication and authorization, monitors traffic, and offers features like rate limiting, which can prevent abuse by restricting the number of requests from a single source. This is especially valuable in healthcare, where APIs handle highly sensitive data.
- Use Strong Encryption: All data transmitted via APIs should be encrypted. Without encryption, sensitive patient data is at risk of being intercepted during transmission, particularly if the API connects to legacy systems that may lack modern security protocols.
- Enforce Strict Authentication Mechanisms: APIs should require strong, multi-factor authentication to limit unauthorized access. This is particularly important in healthcare, where a breach could result in unauthorized access to patient medical records, insurance information, and other highly sensitive data.
- Regular Audits and Updates: Organizations need to conduct regular audits of their API infrastructure to ensure that security measures remain effective against new threats. This includes updating encryption protocols and authentication mechanisms as new vulnerabilities are discovered.
An Entry Point for Attacks
In healthcare, API vulnerabilities can be exploited as an entry point for ransomware or other types of cyberattacks. By compromising an API, attackers can gain access to sensitive systems or data, which can then be used as leverage in ransomware schemes. Similarly, poorly protected APIs can expose healthcare organizations to phishing attacks, where malicious actors use the information gathered from API breaches to craft more convincing and targeted phishing emails.
The healthcare sector faces myriad challenges in securing its systems, and API vulnerabilities are an increasingly critical concern. As APIs become more prevalent, driven by interoperability requirements and the expansion of digital health services, healthcare entities must prioritize API security. The insights shared in this webinar highlight the importance of moving beyond compliance-driven security and adopting a proactive, comprehensive approach to API protection.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.