MU3 and API Security

Fri 10 March 2017

Alt text for image

There is a revolution underway in healthcare in the USA. At its heart is MU3, Meaningful Use Stage 3 of the Electronic Health Record incentive program. One of the goals of this program is to empower patients and give them greater access to their medical records. Healthcare providers will have a legal responsibility to allow patients to access their data and they also have a responsibility to ensure the security of the data they provide. They have to walk a fine line between ease of access and security, and they have to do it by 2018.

The healthcare profession has always been conscious of the need for privacy, but with the ever increasing integration of computers into every aspect of modern life the need for proper safeguards on patient data has become critical. Patients are increasingly interested in monitoring their own health and are becoming more active participants in their diagnosis and treatment.

To allow patients better access to their records, MU3 will make healthcare providers expose patient data over an API. This is to allow patients choice in which apps they will use to view it. Any security expert who stops to think about this for a moment will probably break out into a cold sweat; confidential patient data, exposed via an API, to any app that wants it. Healthcare records are worth a lot, more than your credit card details according to Reuters. That is why there is also a legal responsibility to make sure the data is handled in a secure way and even if the app developers are well meaning, they may leak data by accident or introduce a security flaw that someone else can exploit.

The issue of user authentication is familiar to pretty much everyone. We have passwords for email, bank accounts and any number of other websites. The testing criteria for certified electronic health record technology (CEHRT) providers has explicit test cases for ensuring access is limited to authorized users. Providing patients with a username and password to access their records is the first step, but it doesn't provide any guarantees about the software they are using to access that data. Rogue apps have already been identified as a potential security risk and could be used to steal records or login details.

At the most fundamental level, you cannot trust anything about the client software that is used to access an API. Any software you do not explicitly control can be spoofed or hacked. A number of methods already exist that seek to address this, and we cover some of them in our series on Mobile API Security Techniques. One important way of ensuring security and traceability of an API is to require a registration step, often resulting in a key that developers can use to access the API. This key identifies valid apps and allows API administrators to better monitor for inappropriate use and block apps which do not play by the rules. It also allows outright blocking of rogue apps which have made no attempt to register. A further complication, and one weakness of API keys, is the potential for them to be stolen or for valid apps to be hacked or repackaged. The key has to be placed in the app that wants to connect to the API, so there is always the potential for it to be extracted and misused.

Approov is a security solution developed with this in mind. It ensures that only registered apps can access your API. It does this without a reliance on an API key and protects against repackaging and maliciously modification. It provides confidence that any app that accesses the sensitive data behind an API is authorized and untampered.

The focus of the MU3 regulations has very much been on choice for the patient, with a desire that any app which meets the technical requirements of the API provider should be able to access that API. As more data is exposed and more apps develop, it is likely that maintaining the security of data held behind the API will become harder and API providers will want more assurance that apps are doing the right thing. They have the dual incentive of keeping their customers happy and making sure that they remain in compliance with the regulations. To facilitate this while maintaining control over the API means it is important to allow a pain-free way of enhancing security that is easy for app developers. Approov integrates via a simple SDK which communicates with our servers to verify the authenticity of the app. It provides a JSON Web Token(JWT) that is used for authentication and is straightforward to check on the server.

If you are concerned about providing the best protection to confidential patient records, then take a look at what Approov can do to take your API security to the next level.

Category: misc