Healthcare Needs Open Data. Here’s How to Secure it.

Healthcare-related business from clinics through to insurance providers and pharmaceutical companies face significant challenges in the coming years. They are changing the way they produce and access data, opening up new opportunities for supply chain efficiency, customer service, and patient care. The pandemic has accelerated this pressure to digitally transform. This has sparked a new era of application development in which software is more connected than ever. It also brings new security risks.

Healthcare is just one industry facing new requirements and challenges as it adopts open data policies. We’ve seen it in other sectors around the world as governments demand open access to banking and other data. For example, the EU’s European Open Science Cloud supports easier sharing of data within the research community, while in the US, Data.gov provides access to hundreds of open data sets.

Open APIs: a revolution in access to healthcare data

In the US, the healthcare industry is facing regulatory pressure to expose patient data via digital interfaces. The legislation to watch is the 21st Century Cures Act. Passed in 2016, this legislation includes several measures to promote better care for patients.

The Office of the National Coordinator for Health IT (ONC) published the Cures Act rule (also known as the Final Rule) under this law, forcing clinicians and hospitals to open up electronic access to health data via standardized application programming interfaces (APIs). These are interfaces designed for software applications to query each other across networks by communicating data in machine-readable form.

Exposing electronic health records (EHR) is a positive development for patients because it brings the process of free access to their data and opens the market to a wider variety of healthcare apps. Today, a small cadre of incumbents control access to EHR. As of 2020, EHR companies Epic and Cerner had over half of the total market share between them. Thanks to 21st Century Cures, that is likely to change.

The Final Rule defines an open API requirement based on a standard known as the Fast Healthcare Interoperability Resources (FHIR), created by healthcare standards body Health Level Seven International (HL7). The deadline for hospitals to make data available under the FHIR deadline is December 31, 2022.

Expect to see more third-party apps leveraging the open API and innovating with patient data: hospitals, pharmaceutical companies, insurance providers, appointment booking systems and even fitness apps.

Addressing the API security threat

While this development presents new opportunities for patients and app developers, it also introduces new dangers. Attacks on APIs are growing as criminals exploit weak API security to harvest information or take down services. Companies frequently consider API security an afterthought and leave old versions of APIs exposed, inviting intruders to rattle the doors.

Insecure APIs attract attackers in part because they support automated access. If a legitimate software application can make an API request, so can a malicious bot as it tries to take over an account, launch a denial-of-service attack, or harvest sensitive content. The threat is great enough that Gartner predicts APIs will be the most frequent attack vector by 2022.¹

Healthcare providers and applications exposing health data must secure their APIs to avoid breaches. This means scanning and cataloguing existing APIs, removing obsolete versions, and protecting new APIs as they are added. It also involves implementing strong authentication, encrypting data flows, and selecting data outputs carefully.

Finally, these companies must implement proactive security solutions to detect suspicious activity and thwart attacks quickly at the source.

A Holistic Approach to API Security

This is where Lumen can help.

Lumen offers one of the broadest sets of application-layer security solutions on the market combining WAF, bot management and state-of-the-art API protection. Versatile and holistic, our application security solutions can help protect healthcare providers as they open EHR data to third parties, as well as new app developers that need to secure their patient-facing platforms.

With Lumen, a blend of discovery, monitoring, and advanced threat management techniques help stop malicious actors in their tracks. We offer one of the broadest portfolio API protection solutions. Through API profiling and monitoring, Lumen identifies API endpoints across the organization, protecting those that connect suppliers and partners. Our discovery tools reconstruct API specs and features and assess traffic patterns to distinguish between normal requests and anomalies.

Our advanced threat detection uses machine learning to analyze API activity over time and better understand the anatomy of an attack. This helps avoid false positives and automates your defence to keep the operational burden low.

Lumen offers these benefits in a hybrid software as a service (SaaS) and managed SOC model. This allows us to tailor our services to a company’s resources and threat profile, while minimizing deployment time and effort. It includes not only threat hunting and automated incident response for live attacks, but also gives you the comfort of our 24/7 security operations center, staffed by security experts.

We protect APIs, web applications, and microservices from emerging application security threats. This gives you peace of mind when providing access to EHR across all your application interfaces.

Talk to us about how we can help secure your healthcare application as you work to meet the open API requirements.

¹Gartner, API Security: Protect your APIs from Attacks and Data Breaches, 2021. 

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. All third-party company and product or service names referenced in this article are for identification purposes only and do not imply endorsement or affiliation with Lumen. This document represents Lumen products and offerings as of the date of issue.