Introduction

Here at Te Whatu Ora, we recognize that API security is a critical aspect of our operations. Our organization deals with sensitive health information, including personal medical records and other confidential data. This information must be protected from unauthorized access, misuse, and data breaches, as it can have severe consequences for our patients and their health outcomes.

API security is particularly important in healthcare, as the use of APIs has become increasingly common in healthcare delivery systems. APIs are used to connect disparate healthcare systems, allowing healthcare providers to access and share patient data more efficiently. With the rapid adoption of telehealth and other digital health technologies, the use of APIs has become even more prevalent in healthcare delivery.

However, the use of APIs in healthcare also presents significant security risks. Healthcare APIs are a prime target for cyber attackers seeking to exploit vulnerabilities in these systems to gain unauthorized access to patient data. These attacks can result in data theft, manipulation, and other malicious activities that can lead to serious harm to patients and healthcare providers.

Given the critical importance of patient health information, Te Whatu Ora takes API security seriously. By implementing strong security controls on our APIs, we can protect our patients' health information from unauthorized access, data breaches, and other security threats. This not only helps to safeguard our patients' privacy but also helps to maintain their trust in our organization.

Who is this for?

This document is for people developing applications which will consume one or more of API's made available to them as part of the Te Whatu Ora on-boarding process.

This document does not cover industry development guidelines such as OWASP API 10, nor does it attempt to prescribe any standards for external API consumers for the development of software.

This document does not cover commercial and contractual requirements, however it does mention the API Terms & Conditions that all consumer developers must adhere to.

Why have Security controls?

APIs (Application Programming Interfaces) are used to allow different software applications to communicate with each other, share data, and execute functions. Due to their growing popularity and use, APIs have become a prime target for cyber attackers, and as such, having security controls in place is a good idea for a number of reasons:

Protection against unauthorized access: APIs are designed to be accessed by authorized parties only. Without adequate security controls in place, attackers may gain unauthorized access to APIs, which can result in data theft, data manipulation, and other types of attacks.

Protection against DDoS attacks: APIs that are not secured can be targeted with DDoS attacks. These attacks can overwhelm the API with traffic, making it unavailable to legitimate users, which can lead to financial loss and damage to reputation.

Data privacy: APIs often handle sensitive data, such as personally identifiable information (PII) and financial information. Having security controls in place helps to ensure that this data is protected from unauthorized access and misuse.

Compliance: Many industries are subject to regulatory requirements that mandate the use of security controls to protect sensitive data. Failing to implement these controls can result in legal and financial penalties.

Reputation: A security breach of an API, can damage the reputation of an organization, resulting in a loss of trust from customers and partners. This is doubly so with regards to healthcare information.

Implementing security controls on APIs helps to protect against data breaches, which can help to maintain trust and protect the reputation of the organization.