In recent years, several major health information exchange platforms in the United States have fallen victim to ransomware attacks. These platforms play a crucial role in U.S. healthcare infrastructure, facilitating the flow of patient records and managing payments for extensive networks of providers, including hundreds of thousands of doctors, tens of thousands of pharmacies, thousands of hospitals, and hundreds of laboratories. Some of these systems process billions of claims annually, totaling over a trillion dollars, for vast networks of providers.
The financial and reputational fallout from these incidents has been profound. Although complete damage totals are still being calculated, in many cases, early estimates suggest that such attacks can cost healthcare organizations hundreds of millions to billions of dollars.
These incidents serve as a stark reminder of the vulnerability that even large, well-resourced organizations face. According to industry analyses, the number of patient records compromised in data breaches nearly doubled in 2023 compared to the previous year, despite a slight reduction in the total number of reported breaches.
Because healthcare organizations hold a vast array of sensitive data – from personally identifiable information (PII) and personal health information (PHI) to financial records and transactions, they’ve become an irresistible target for cybercriminals who find these networks easy to penetrate.
The intersection of healthcare data management and payment processing means these entities must also navigate the complexities of complying with both Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS). For hospitals and other healthcare providers that process cardholder data, adhering to PCI DSS isn’t just a suggestion; it’s a crucial safeguard to protect financial transactions and ensure patient trust.
In the wake of recent healthcare data breaches, payment providers must also strengthen their security posture. The arrival of PCI Data Security Standard (DSS) version 4.0 necessitates a reevaluation of security protocols. This latest version goes beyond stricter controls – it offers a more adaptable approach to combat the growing wave of cyberattacks specifically targeting the healthcare industry.
PCI 4.0: APIs in the Crosshairs
Introduced by the Payment Card Industry Security Standards Council in 2006, PCI DSS has become a global standard for any entity that processes, stores, or transmits cardholder data electronically. Since this time, the core principles of PCI DSS have remained largely unchanged, with an emphasis on protecting data via encryption and data minimization techniques, maintaining secure networks, and controlling access to system data.
Of course, today’s threat landscape is quite different than it was in 2006 when the original version of PCI DSS was implemented. Back then, digital threats were primarily focused on direct attacks such as viruses and phishing. Now, we face a far more sophisticated range of cyber threats that include ransomware and malware attacks, which not only encrypt and steal data but often threaten to release it publicly unless a ransom is paid.
Released in March 2022, PCI 4.0 maintains many of the original security controls but introduces significant enhancements in areas like authentication, access management, and particularly, securing Application Programming Interfaces (APIs) which help facilitate the seamless flow of data across different platforms and services.
With the rise of e-commerce alongside the broad adoption of cloud technologies, APIs have mushroomed, with the typical enterprise managing hundreds or even thousands of APIs. As these APIs often handle sensitive customer data, the potential for even a small vulnerability in an exploited API has the potential to expose millions of sensitive records.
Recognizing the critical role and fast changing nature of APIs, PCI 4.0 includes new rules and guidelines specifically addressing API security. These updates reflect a strategic shift towards more proactive and flexible compliance strategies, allowing organizations to adapt the standard’s rigorous security measures to fit their specific operational needs.
Among other things, the new standards call for enhanced visibility and protection of APIs, underscoring the need for robust security strategies that can better adapt to new threat tactics. For example, requirement 6 of the PCI DSS guide encompasses the practice of reviewing your bespoke custom application code (i.e., the code developed by a third-party vendor, but not standard off-the-shelf applications) to ensure that no vulnerabilities are released into production.
Specific to APIs, it asks organizations to confirm that this software uses external components securely, like libraries, frameworks, and APIs. In addition, it requires the following:
- Bespoke and custom software must be developed securely
- Security vulnerabilities must be identified and addressed
- Public-facing web applications must be protected against attacks
- Changes to all system components must be managed securely
Four Best Practices for API Security
Securing APIs goes beyond just data protection in PCI DSS 4.0; it’s become a core element of compliance. The new standard emphasizes the need for a comprehensive inventory of all software components, including custom-developed and third-party integrations. This real-time visibility streamlines vulnerability management and patch application. To effectively address the requirements listed above and to elevate your overall API security posture, consider these four best practices:
- Ensure Visibility: Establish mechanisms to monitor and assess the security posture of API components. This includes detecting misconfigurations, ensuring the use of the latest encryption standards, and identifying any potential security flaws that could be exploited by attackers.
- Maintain a Comprehensive API Catalog: Develop a comprehensive inventory of all APIs, including each version in use. This catalog should highlight any undocumented features or potential backdoors that could compromise security, providing a clearer scope for management and security enhancements.
- Continuous Validation: Regularly validate the expected behavior of APIs and enforce strict controls to prevent misuse. This step should involve both the verification of API security during the development phase and ongoing checks to ensure that only legitimate activities are allowed, effectively mitigating the risk of logical vulnerabilities.
- Secure Coding Practices: Adopt secure coding standards specifically tailored for API development. By implementing a programmatic approach to secure coding, organizations can ensure that APIs are not only functional but also secured from the ground up, reducing the risk of introducing vulnerabilities into production environments.
For healthcare organizations, where the protection of sensitive patient information is paramount, advancing API security goes beyond ticking a checkbox on a compliance checklist. It’s a critical defense strategy in the fight to safeguard patient privacy and build trust within the healthcare industry. By prioritizing robust API security measures aligned with PCI DSS 4.0, healthcare providers can significantly bolster their defenses against cyberattacks and ensure the continued integrity of sensitive patient data.
About Stas Neyman
Stas Neyman is a Director of Product Marketing at Akamai, overseeing the API Security portfolio.