"Start by doing what's necessary; then do what's possible, and suddenly you are doing the impossible." - Francis of Assisi.
What is Our Goal?
We want to show ‘what good looks like’ for API security-by-design in digital mental health service provision. Protecting sensitive data in the channel from mobile app, via API to backend cloud/server, is a fundamental step to ensure sensitive data doesn’t inadvertently leak to places it shouldn’t.
Our first step spring of 2023 is to send out an anonymous API Security Survey to numerous digital mental health services providers to better understand the current state-of-play on API security within and across companies.
Who Is This Project For?
Any security vendors, API vendors, healthcare service providers, healthcare mobile app developers, pentesters, and other interested individuals and parties are all welcome to join us. If you are interested in participating in this project to create a recipe for digital mental health service API security, please get in touch (becky@beckyinkster.com).
Who is Leading This Project?
This project is a collaboration between myself (Becky Inkster) and Martha Neary who is a Digital Health Program Strategist for a digital health company focusing on obesity management and was previously the Program Director of PsyberGuide, non profit focusing on evaluation and implementation of Mental Health apps. This project is also supported by David Stewart, Advisor and former CEO of Approov.
Why does API Security Matter?
APIs define how apps can communicate with other apps and systems, and this form of communication accounts for over 83% of all internet traffic (29). APIs play a crucial role in supporting health IT interoperability by allowing multiple data sources to become transferable, which can help healthcare providers give better care (35).
As the pandemic accelerated the use of mobile healthcare apps, this has increased the exposure of health data through API vulnerabilities used by mobile health applications. Mobile apps and the APIs that service them are a particularly challenging environment to protect. Certain tactics used by cybercriminals include exploiting digital services via their APIs. Malicious API traffic is growing faster than non-malicious API calls (e.g., Salt Security customer data showed that API calls grew 51% whereas malicious traffic grew 211% (30) and it has been predicted that by 2022 API attacks will become the most frequent attack vector for application breaches (31). Many high-profile companies have experienced API-related cybersecurity problems, and a report by Salt Security found that 91% of companies had API-related security problems (32).
In the largest unveiling of vulnerabilities in telemedicine APIs, a report called “All That We Let In” by ethical hacker Alissa Knight and Approov found that all 30 mobile health apps investigated were vulnerable to API attacks, which collectively exposed 23 million mobile health users (33-34) Much more research and security-by-design implementation is needed, especially related to vulnerabilities and inadequacies in the implementation of security around APIs that carry very sensitive data - including but not limited to Fast Healthcare Interoperability Resources (FHIR) APIs and the mobile apps that use them (36-38).
For references see: https://psyarxiv.com/p9u3g
Working Together:
What Have We Achieved So Far?
Our Working Group has already had their first meeting as a collective. We had a chance to hear various perspectives, and not only technical points, but also around developing governance and other aspects involving human factors. We will be taking the next steps soon, which will involve a survey, report, and more actions after that.
Join Us / Find Out More
Background Reading
https://informationsecuritybuzz.com/expert-comments/mental-health-app-feelyou-exposed-70000-emails/
https://approov.io/mhealth/hacking
https://approov.io/for/playing-with-fhir/
https://blog.approov.io/shift-left-but-shield-right-but-what-does-that-mean
https://blog.approov.io/shift-left-but-shield-right-and-what-are-the-options