Healthcare organizations today face a daunting task of modernizing their IT infrastructure while safeguarding patient data from cyber threats – and it feels as though there’s a new danger every day. Just last month, one home healthcare equipment provider reported a data breach that exposed the personal, medical, and financial information of up to 1.9 million individuals.
At the same time, because technology continues to advance and interoperability mandates are driving the adoption of APIs, healthcare CIOs and CTOs must navigate new complexities to securely connect systems and partners.
How can it be done?
In this three-part series, I’d like to share how healthcare organizations can strengthen their security posture while confidently embracing the transformative power of digital healthcare with the help of API marketplaces.
Common pitfalls when adopting new technologies
For the past 20 years or so, when healthcare organizations needed to make a connection to exchange sensitive data between a provider and a payer, they used VPNs.
At first it was real fractional telecom lines, then we moved to virtual VPNs. Many assumed they could “lift and shift,” layering newer technologies onto old processes. But a virtual server’s security is determined by the operator – meaning it’s only as secure as your partner’s endpoint.
When organizations started using APIs, partners thought they’d be safe to expose internal APIs to trusted third parties via the VPN, just like they did with files on physical VPNs. In this case, though, if a partner isn’t landing that VPN API in a secure way, you could find you’ve opened the door to your most sensitive data.
When merging old and new technologies—or lifting old ways of thinking onto new technologies—we risk increasing our vulnerability and opening up new breach points.
Managing the security and compliance question
When adopting APIs, it’s not enough to simply limit the audience that’s allowed access to them. APIs should be designed with security in mind from the start, and they need to be protected and monitored in automated ways through API gateways.
Evaluating the security of API solutions can be difficult, and the stakes have never been higher as hackers increasingly target APIs to gain access to sensitive data. One assurance many government agencies look to is Common Criteria certification, which demonstrates a solution’s ability to meet the most demanding security requirements.
Health plans run on data – data that is highly sensitive and highly regulated. And, in a context where cyber criminals focus more and more efforts on ransoming healthcare organizations, it’s understandable that talk of exposing health data makes CISOs wary.
What’s more, with a growing focus on data sovereignty and consumer rights, it’s not enough to ask, “where is my file?” or “where is my order?” anymore. We now need to ask, “Where is my data, and did I have the right to share that data?”
Even the Federal Trade Commission (FTC) is tightening the reins on digital health apps that share medical data with tech companies.
As my colleague William McKinney urged recently, ask yourself these questions:
- Do you know where all your APIs are and that they’re secure?
- Do you know where and how your APIs are used and by whom?
A clear value of an API marketplace in healthcare is the central management plane, which offers a single pane of glass for governance of your digital assets.
Discover, secure, and govern APIs with Amplify Enterprise Marketplace
Built on our universal API management platform, Amplify Enterprise Marketplace uses lightweight agents to automate the discovery, capture, and validation of APIs into one registry where they can be managed, monitored, and governed.
The API marketplace allows you to round up APIs from all parts of your IT environment. And Amplify Platform can automate the enforcement of API standards, including information security, rate limiting and thresholds, data reduction, and more.
Building a governance framework around APIs helps guarantee that the information will be handled in accordance with stringent regulatory requirements around patient privacy and data protection.
It’s encouraging that the U.S. government sees the potential of APIs in achieving this, and HHS is slowly opening up healthcare with APIs in a controlled, secure manner.
But the next question healthcare organizations should ask themselves is, “what additional value could I get from these digital assets?” Beyond the security and compliance value of APIs, their self-service nature offers immense potential to scale and connect to a larger ecosystem to improve experiences for everyone.
As we’ll see in part two, that’s where an API marketplace can help create new value.
Read this next: Round up & secure APIs for universal API management.
Follow us on social