Norway was spurred to protect its national health service with banking sector security after a rushed Covid-era roll-out of digital services left holes in software interfaces handling patient data.
The fix will become the largest implementation in the world of a proposed security standard to stop hackers exploiting application programming interfaces (APIs) that exchange data between computer systems, developed originally by the UK financial sector and software industry consortium OpenID Foundation (OIDF).
With OIDF striving to make its financial-grade API 2.0 (FAPI 2.0) proposal a global standard, some experts are calling for Europe to impose its controls over sensitive data in all critical sectors, such as health, transport and government.
Its implementation by the Norwegian Health Network (NHN), which runs the country’s digital health infrastructure, is the first outside finance, where it is becoming a de facto standard, though it was always intended to protect sensitive data communications in other sectors.
Routine security audits alerted NHN that its patient data was at risk 18 months ago, said Ragnhild Varmedal, chief technology officer at HelseID, the agency’s national identity and access platform, which is responsible for its health data APIs.
NHN had upgraded national health security when the Norwegian Health Ministry gave it responsibility for the entire country’s e-health systems, modernising and developing systems such as integrated care records and electronic prescriptions, in January 2020, just as the Covid-19 pandemic spread across the world, said Varmedal.
“It was launched right before Covid, so it had a flying start,” she said. “Everyone just wanted to get everything to work. I think they paid more attention to that than to security. Not that they didn’t pay attention to security. But getting things up and working was even more important if you had to make a choice.”
Under pressure
NHN built and rolled out e-health services under pressure, she said. It took isolated e-health systems and made them national. Doctor appointments were moved to video conferencing; it created and elevated systems for identifying patients, electronic prescriptions and test results; and it upgraded API security across the entire health sector at the same time.
“They were cutting corners because it went very quick to get things up and running,” said Varmedal.
The risk of a breach was not as much as the damage one would cause, she said. Breaches of health data APIs were possible and happening around the world on a daily basis out of the public eye. Criminals were stealing data and extorting clinics and patients under threat of sensitive records being exposed.
HelseID cut the risk of token theft – where hackers steal digital credentials that give people access to sensitive data – from 80% to 20% after implementing FAPI 2.0 controls at one site, based on before-and-after assessments, said Varmedal. It was now replacing a haphazard medley of security measures built around 120 health data APIs with the FAPI 2.0 security profile – one defined suite of methods – and mandating its use gradually among 300 suppliers and 50,000 clinics.
Mark Haine, OIDF technical director, said HelseID is a proof-of-concept for FAPI 2.0 in the health sector that will further the consortium’s ambition to make FAPI 2.0 a global standard for securing sensitive APIs.
“It’s a step forward in demonstrating that FAPI is applicable in the health sector,” he said. “That’s kind of huge. There have been some people saying, ‘Oh no, we don’t want to use FAPI, that’s for finance’. We don’t agree with that. We think it’s for anywhere you’re handling sensitive data.
“We’re also talking with healthcare standards people in North America,” said Haine. “We rather hope that over time, other implementers realise that it’s not just for financial services.”
API security firms said FAPI 2.0 secures API communications well, but was not designed to protect against botched backend applications that handle API data, so organisations that adopted it could not rest on their laurels. Hacker exploits such as the infamous broken object level authorization proliferate because software developers make mistakes when weaving API security measures into their backend systems.
The FAPI 2.0 Working Group concluded that a universal standard cannot be developed to protect against such attacks because they rely on failures in the application of business logic that differs across countless different sectors and settings, said Haine.
HL7 International, which develops common health sector APIs, is developing standards for implementing application-level API security in its domain. The UK Open Banking Implementation Entity (OBIE), which pioneered FAPI 2.0’s development, and US banking standards body Financial Data Exchange (FDX) are working on the same.
“FAPI 2.0 should be default for any EU [European Union] API that transports sensitive or high-value data,” said Alessio Dalla Piazza, co-founder and chief technology officer at API security firm Equixly. “Yet relying on it alone would be like installing armoured doors while leaving the windows unlatched.”
He said it should be adopted even in countries that had strong digital identity systems, such as Italy. The moment someone’s identity has to collect a radiology report from a standard health sector API such as FHIR or HL7, communications revert to basic security measures such as OAuth tokens, scopes, claims and callback URIs, said Dalla Piazza. OAuth was central to the botched upgrade HelseID made in 2020, but it is a foundational component of FAPI 2.0.
“FAPI 2.0 is the first set of rules that tells every participant exactly how to structure and protect those artefacts so that banks, hospitals, transport operators and e-government portals can interoperate without the usual patchwork of bilateral fixes,” said Dalla Piazza.
European perspective
Jacques Declas, CEO of API security firm 42Crunch, said API security was a huge issue in Europe.
“75% of companies have been breached by an API attack in the last three years,” he said. “We monitor every breach. Not all are public. Most attacks are through an API. 84% of internet traffic in the world is API traffic. That’s why FAPI was born.
“FAPI is good,” he said. “I recommend it to everybody. But it’s just a recommendation for a standard. Large companies have tens of thousands of APIs, and they have problems enforcing standards, and some implement measures but badly.”
“From our perspective, there are no actual gaps in the specification, or anything that is missing,” said Küsters, whose team is part of the working group developing it.
Action plan
The European Commission published an action plan to improve cyber security in health in January because it had become “the most attacked industry in the EU over the past four years, including during the Covid-19 pandemic, when health infrastructure was increasingly targeted by cyber attacks”.
Its proposed measures include making people use Europe’s digital identity wallet to access health services. It does not address API security directly.
Various European projects to build sector-wide APIs have emerged or elaborated plans recently. The Keystone project to build pan-EU data exchange between law enforcement and transport operators to improve security published an API model last year that had little mention of data security. A Keystone spokesperson said it thought FAPI 2.0 was not applicable to transport because it was a financial sector initiative.
Preetha Ramiah, research fellow at Coventry University, who shares responsibility for Keystone data security, said in an email: “At Keystone, we do not provide security for financial or monetary transactions. Our focus is on data security – ensuring secure, standards-based API communication and data exchange across systems and borders.”
Early plans by European cloud computing firms to build a Sovereign Europe Cloud API (Seca) have made a start on elaborating a security profile. Commission plans for a Trusted Data Framework have got as far as agreeing a standard set of terms, but are yet to specify security measures.
Seca, HL7 International and Enisa, the European Union Agency for Cybersecurity that the commission is giving responsibility for health data security under its action plan, were not prepared to comment.