25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

79% Of Healthcare Organizations Experienced an API Security Incident in the Past 12 Months

Posted By on Sep 29, 2023

78% of healthcare organizations experienced an Application Programming Interface (API) security incident in the past 12 months, up 9% from 2022, according to a new survey from Noname Security.

APIs continue to pose significant risks to organizations and security incidents are increasing, especially in industries that store large volumes of personally identifiable information such as healthcare, eCommerce, and financial services, which saw the biggest increases in attacks. Healthcare experienced the biggest increase in API security incidents out of the 6 industries represented in the study and is the second most likely industry to experience an API security incident, behind financial services.

Healthcare organizations need to share information internally between different medical systems, communicate data to other healthcare organizations, and share medical records with patients’ personal health and well-being devices, with data sharing facilitated through APIs. While APIs facilitate compliant data sharing, the lack of data standards across the industry and multiple siloed technologies often mean there are considerable technological gaps to overcome, requiring custom APIs to be developed to accommodate each system. When systems are upgraded or replaced, APIs must also be updated, making API management an ongoing challenge.

Fortunately, standards such as Health Level Seven (HL7) Fast Healthcare Interoperability Resources (FHIR) and Digital Imaging and Communications in Medicine (DICOM) are helping to ensure data privacy and security when exchanging data between different systems, regardless of how information is stored in different systems; however, even with these standards, security incidents are continuing to increase.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In healthcare, the most common attack vector in API security incidents was network firewalls, with 27% of healthcare respondents reporting an incident via this attack vector. Web application firewalls took second spot, accounting for 19% of security incidents, followed by API gateways and Dormant/Zombie APIs both on 16%. In 2022, the most common attack vector was the exploitation of authorization vulnerabilities, which dropped to 5th place this year and was behind 15% of incidents. 55% of respondents said they experienced a loss of productivity following an API security incident.

While API security incidents are on the rise, Noname Security found that visibility into APIs has improved since last year, with 40% of organizations saying they have a full and up-to-date inventory of all APIs that return sensitive data, up from 28% in 2022. 60% of respondents said they only had either a partial inventory or a full inventory but did not know which APIs returned sensitive data, down from 72% of organizations last year.

With API security incidents increasing it is vital for healthcare organizations to conduct regular API testing to identify vulnerabilities before they can be exploited. 53% of healthcare respondents said they consider API security as an insurance policy against attacks, and a majority of healthcare organizations (91%) said they were very confident (37%) or somewhat confident (54%) that their current application testing tools were up to the task and could identify API vulnerabilities. While confidence in API security is high in healthcare, almost 1 in 10 healthcare organizations lacked confidence in their ability to test for API vulnerabilities, which was the highest out of all 6 industries surveyed for the study.

“As healthcare organizations around the world continue to drive transformation initiatives and new advancements in healthcare technology, interoperability with all data accessible from one place in real time is central to achieving these goals, delivering more facts per patient per decision,” explained Noname Security in the report. “APIs will be critical to delivering the interoperability that will power this data-driven decision making, but more importantly, API security will be key to keeping patient data safe.”

The findings are detailed in Noname Security’s annual API security report, The API Security Disconnect 2023.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist