APIs: (A) (P)romising (I)nnovation for Healthcare in the US

The US healthcare system is notoriously… messy. Some of its defining features include high costs, inefficiencies, unequal access, convolution, and misaligned incentives. One major issue is the fragmentation between commercial insurance providers, government sponsored insurance providers, and actual healthcare providers (doctors, etc.), who each operate independently. This fragmented nature leads to administrative complexities, underutilized data, and frequently, a lack of coordination between parties in providing care. The number of Health IT companies working to address these issues has increased steadily over the past decade, and I believe those focused on the use of Application Programming Interfaces (APIs) have the potential to make the most meaningful system-wide impact.

According to AWS, APIs are “mechanisms that enable two software components to communicate with each other using a set of definitions and protocols”. In other words, APIs allow for sharing of information between two otherwise separate applications. Now, let’s think about healthcare. Where is critical patient data currently stored? Well, you guessed it, it’s complicated! Some data is stored in Electronic Health Records (EHRs), some in Health Information Exchanges (HIEs), some in Enterprise Resource Planning programs (ERPs), and still some in other information deposits. As you can imagine, it is frequently challenging to access all of this scattered data at once. With the help of APIs, various parties across the healthcare ecosystem (providers, payers, patients, caregivers, etc.) could overcome issues such as unrelated software or mismatched data formats to access all data at once and best serve patient needs.

In concrete terms, a patient’s use of an API could go as follows. First, the patient downloads an app and logs in. The application links securely to an API for the doctor’s EHR. The application sends a request to the EHR to request access to the medical data. Then, the EHR accepts the request through its API and retrieves the medical records to send directly to the patient’s app. Finally, the patient would be able to access their records from the app and actually combine the information with data from other sources, including patient portals, to be able to view all records in one place.

This seems to make a lot of sense, right? So, why exactly aren’t APIs used widely in healthcare already? Well, the truth is that they are starting to be used. Interoperability is the basis on which APIs are built and is the gold standard in the healthcare world. However, there are still challenges that are slowing the uptake of APIs across the industry. Most healthcare organization outsource the development and management of APIs, thus leaving the door open for security breaches — a huge deal when you’re talking about peoples’ health.

Recent studies by Imperva suggest that lack of security in APIs may cause $12-$13 billion in average annual API-related cyber loss in the US. Within healthcare, a mental health app called Feelyou made vulnerable 80,000 users’ email addresses which could be linked with anonymous posts using the app’s API. This security issue persisted from January 2022 to July 2022 before being exposed. Many examples of unsecure APIs are related to Broken Object Level Authorizations (BOLAs), which allow users to change an ID in some input (cookies, URL, etc.) and access data that is not their own. With examples like this in mind, healthcare organizations put their patient data at risk of exposure without a highly secure API in place. In order to successfully implement APIs, healthcare organizations need to work with extremely reliable developers, using extremely secure techniques and adhering to stringent HIPAA regulations to protect patient anonymity.

While the security risks of APIs are significant, I believe the benefits APIs can provide outweigh the costs of developing systems that are unfailingly secure. The precautions may be costly in terms of time and dollars, but will be worth the effort. One important precaution involves vetting third party APIs by checking the audit trail in both directions between the digital data base and the third-party API. Using a “Penetration Tester” on the API to simulate the steps an attacker might take will also prevent healthcare organization from becoming victims. Further, implementing authentication and authorization of a user using a password or multi-factor authentication before a request is processed can eliminate the risk of BOLA, as discussed above. Finally, experts recommend logging all API activity so that, in the case that an attack happens (by an intentional penetration tester or a hacker), the organization would be able to see how it was done. The API can then be updated to prevent similar attacks in the future.

Existing Healthcare API services and vendors include DrChrono API, Particle Health API, and BlueStream API, which are HIPAA compliant offerings streamlining healthcare processes and promoting interoperability. Overall, there are certainly challenges to overcome in the adoption of APIs within healthcare. However, I believe that like other technological developments, API security concerns will ultimately be minimized and healthcare organizations, and more importantly, patients, will benefit from the implementation of these offerings.

Sources

https://aws.amazon.com/what-is/api/

https://ehrintelligence.com/news/what-do-apis-mean-for-health-interoperability-data-exchange

https://www.healthcareitnews.com/news/what-you-need-know-about-healthcare-apis-and-interoperability

https://hbr.org/2022/03/standardized-apis-could-finally-make-it-easy-to-exchange-health-records

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9030107/

https://www.healthit.gov/api-education-module/story_content/external_files/hhs_transcript_module.pdf

https://www.avertium.com/resources/threat-reports/healthcare-and-api-vulnerabilities