The growing use of APIs in health information technology innovation for patient care has been a boon to speeding development placed in the hands of providers and patients. Using APIs can help drive interoperability and make data “liquid” and useable. APIs can enable “Data liberación,” a concept proposed by Todd Park when he worked in the Obama administration.
Without securing patients’ personal health data leveraging APIs, those intimate details are highly hackable explained in All That we Let In, a report from Knight Ink and Appr0ov.
It is likely that behind growing health data hacks is the marginally greater financial incentive to mine it compared with other consumer data. While a social security number can fetch $1 by a data evil-doer, a credit card can score $110, and a full medical record as much as $1,000.
Alissa Knight, an expert on hacking and cybersecurity, conducted this research by first downloading 30 mHealth apps in collaboration with the companies, to do penetration testing of their apps and APIs. The goals were to identify risks and vulnerabilities and to develop recommendations for protecting health consumers’ personal health information. The test was conducted over two weeks with six months of static code analysis.
[Sidebar on “what is an ‘API?’” An application Programing Interface is a set of protocols and definitions allowing digital services and products to communicate with each other over the Internet. Simply put, the “Interface” enables different software to interact and helps developers to speed up development processes].
In testing the 30 mHealth apps and APIs, Alissa found that 100% of them were vulnerable to Broken Object Level Authorization (BOLA) attacks resulting in unauthorized access to patients’ full electronic health records, lab results, digital images, and personal data like family history and social security numbers.
One-half of the APIs allowed Alissa to access pathology, x-rays, and clinical results of patients. 50% of the APIs also allowed her to access inpatient admission records for patients that should not have been accessible to her with the level of authorization she had for the systems being tested.
Some of the key recommendations of these findings are that:
- Overall, basic cybersecurity hygiene, including avoiding hard coding usernames and passwords in source code, is an endemic problem
- mHealth companies should implement a “zero-trust” approach to securing apps and APIs
- mHealth companies should improve security controls for the most personal health information.
Do read this entire report if you have any role to play with health IT and building consumer trust with their personal electronic records as well as growing adoption of digital health tools (including apps, wearable tech, and remote health monitoring devices) in and beyond the pandemic.
Health Populi’s Hot Points: As health care continues to become a hybrid delivery model, omnichannel leveraging virtual care platforms, more patient data will be generated from more sites of care. These will run from our bodies via wearable tech and homes to close-to-home spots like retail pharmacy hubs and grocery stores to urgent care clinics, retail Big Box health centers, rehab and long-term care sites, schools, and of course, from today’s traditional medical places for care: hospitals, doctor’s offices, ambulatory care centers, et. al.
Deloitte presented this graphic for an integrated data and analytics platform supporting remote patient monitoring data feeds in a June 2020 report noting that remote patient monitoring could trigger a multi-channel data tsunami.
With this model in mind, think about “all that is let in,” coining the Knight Ink/Approov insights into patient data leakage.
Through the patient-as-consumer lens, most Americans say they were communicating and connecting online more in 2020 than ever before, an Ipsos survey found.
As a result, most U.S. adults have grown more concerned about their online privacy than at any other time, are more worried about online safety, and are more stressed about getting hacked than ever.
As health care grows more omnichannel and distributed, cybersecurity will become more challenging at the point-of-care and a big risk for health care providers under current HIPAA regulations.
But HIPAA as currently formulated doesn’t cover many data flows especially those emanating from consumer-facing devices whose data may not flow into the kind of platform that Deloitte presents above (assuming that platform is run by a health care provider legally covered under HIPAA).
There are many layers to health literacy in the digital era:
- Health care and medical literacy, understanding therapeutic instructions like when and how to take medicines, or hug a pillow after cardiac surgery;
- Financial literacy, whether a patient understands their health insurance coverage, the meaning of a co-payment, or how to navigate payments over time; and,
- Digital literacy, as to how to go online and seek medical information, sign up for health insurance on an exchange, or schedule an appointment for a vaccine.
Within digital literacy is now a new component of competency for health citizens: understanding privacy, security, and data hygiene for our own personal health information. We’ve known for many years that third party data brokers could scrape various bits of our digital data dust to construct personal profiles of “us,” further warned by Shoshana Zuboff in her seminal book, The Age of Surveillance Capitalism.
As we evolve our health care delivery system to more care at-home and closer-to-home, patients as health citizens need to better understand data rights and providers’ roles as data stewards on patients’ behalf. The last chart comes from Parks’ Associates’ recent report on serving connected consumers. One of three key aspects of building and earning consumers’ trust in smart devices is to “keep consumer data safe.”
If we expect health citizens to take advantage of virtual care, telehealth, digital health devices and apps, we’d be well-served to learn from Alissa Knight’s findings as APIs proliferate in health care — for all the right reasons.