Blake Dournaee | Senior Product Manager
April 30, 2014

API Security: The Key to Innovating for Better Health


Innovation in the healthcare industry seems to face a constant uphill battle. Doctors are relatively conservative, many processes are manual, and patients continually feel like they have to fill out forms, over, and over and over again. Innovations in information technology, which are rapidly available to wider industries, feel like they reach the healthcare at a glacial pace, or worse, never. Major innovations and trends such as cloud computing, the consumerization of IT, mobile enablement and API management are just a few of these examples. Adoption aside, the problem is worsened by the pesky issue of HIPAA compliance as well as data confidentiality, let alone cyber-attacks on medical information. According to a recent article last month posted on eSecurity Planet, more than 7 million patient records were exposed in 2013. The opportunity, however, is huge. The healthcare industry is poised to become a leader in mobile computing and improved patient outcomes because of the value of their data. 

The New Value of PHI

What is the value? For patients, there are endless applications to health care monitoring, fitness and wearable devices. Health care insurers, such as Blue Cross Blue Shield Association, (BCBSA) can also benefit by making relevant health care provider and cost information available through multiple channels, directly on mobile devices over APIs. Health care providers can use APIs for health information sharing between hospitals, clinics and doctor’s offices to improve outcomes and care.

For example, the Statewide Health Information Network of New York (SHIN-NY), which is the largest health information exchange (HIE) in the United States, makes statewide health information available to improve outcomes across the state. SHIN-NY collects health information from regional organizations, and with patient consent, shares this information to other providers. Data sharing in this way benefits from network effect: As more providers and users connect, the data grows and this generates an upward spiral of value for both patients and providers. Valuable patient information, is subject to HIPAA rules and protection – how can organizations protect this data without spending an inordinate about of money on expensive end-to-end encryption technologies or security development teams. How can organizations like SHIN-NY protect data from breaches and attacks?

APIs and Data Protection

The answer is to move the protection to the data itself, and do so when the data moves in and out of the organization. This can be done by looking at coupling security processing to the network application programming interface (API). APIs in this case refer to HTTP-based REST or SOAP interfaces which can be used to share data among business partners, developers, health care providers and insurers.

So what steps does an organization take? There are two broad steps for deriving new value from legacy health care data. First, you need to create the necessary services to wrap your PHI and make it available as a data service and then you need to secure access to the service through the use of an API governance layer.

Data service creation may involve internal integration and data transformation, which takes health care data (PHI) from HL7, EDI, text or other formats to generic formats such as XML or JSON. Once the data is accessible over HTTP, you need to protect access to it, which can be done through the use of an API governance and security layer. The API governance and security layer can provide threat protection against common XML and JSON content-borne threats and validation of requests. It also provides authentication and authorization on API calls to ensure the caller is authenticated, either using standards such as SAML or OAuth, depending on the sophistication of your organization.

Finally, and most important to HIPAA regulations, are the capabilities around message level security, including format-preserving encryption and data tokenization. Either of these mechanisms can protect data in place without increasing the size of the encrypted field, which reduces costs over end-to-end encryption because existing database models can be preserved. The API governance layer should operate as a proxy, protecting data inline without expensive code changes. This proxy data protection also allows the organization to scale, adding more services behind the proxy as more PHI data is transformed into services.

This “upward spiral” allows health care organizations to unlock their value over time and once they have a consistent, secure API layer they can begin to scale it, opening interfaces to developers for innovative health care uses and examining more cost effective hybrid and SaaS deployment models.