As API Adoption in Healthcare Skyrockets, Cybersecurity Risks Follow

June 23, 2022 - Application Programming Interface (API) adoption is steadily increasing in the healthcare sector, but APIs do not come without cybersecurity risks. In fact, Gartner predicted that API attacks would become the most common attack vector by 2022.

In healthcare, evidence suggests that API adoption could revolutionize interoperability efforts and health data exchange. In addition, providers are increasingly implementing APIs to comply with the CMS Interoperability and Patient Access final rule. Meanwhile, the HL7 Fast Healthcare Interoperability Resources (FHIR) standard is quickly gaining recognition in the health IT space.

In a recent report, Imperva partnered with the Marsh McLennan Global Cyber Risk Analytics Center to analyze API-related incident data and quantify the cost of API insecurity. Researchers discovered that the lack of security APIs may cause $12 billion to $23 billion in average annual API-related cyber loss in the US and anywhere from $41 billion to $75 billion globally.

“These estimates provide a view on losses that are entirely avoidable,” the report suggested.

“If companies made an upfront investment in properly securing all of their APIs, their API-related losses could decrease significantly even as their API adoption continues to increase.”

The research also revealed a correlation between company revenue and API-related event frequency. Companies earning more than $100 billion in revenue attributed a quarter of their cyber events (during the analysis period) to API insecurity.

“The analysis indicates that large firms face an elevated risk of experiencing an API-related incident. This is likely due to increased deployment and utilization of APIs in large companies, which could expose companies to more potential breaches,” the report noted.

The report found healthcare to be one of the biggest adopters of APIs across all sectors. Healthcare API traffic grew by more than 400 percent in 2020, and health monitoring API use increased an additional 941 percent in 2021.

Notably, the healthcare sector was not close to having the highest API event count compared to other industries. Technology-dependent industries such as professional services and retail trade experienced a far higher volume of API events.

The healthcare sector reported less than 25 API-related incidents during the analysis period.

“While some of these discrepancies may be attributed to higher API security standards, it is also likely that the elevated incidence of other cyberattacks, such as lost or stolen data and ransomware in the Healthcare industry, depresses their sector’s API-related event frequency,” the report reasoned.

The industries with the strongest API-related security controls had the least incidents. The report predicted that companies would continue to see rising API-related costs as cybersecurity concerns rise. Having a robust security architecture can help healthcare organizations mitigate these risks.

“Since 2017, API-related events have become increasingly common, impacting a plethora of companies across disparate industries, revenue bands, and geographies,” the report stated.

“This rise—coinciding with a meteoric increase in competing cyber threats, such as ransomware attacks—threatens to compound the already spiraling costs impacting both businesses and insurers.”