API U Series

Understanding The Realities of API Security

In January 2016, ProgrammableWeb editor-in-chief David Berlind was invited to testify before the ONC’s API Security and Privacy Task Force on the matter of API security. Berlind’s testimony at the virtual hearing, which forms the bulk of this series, was focused on the realities of API security based on the numerous API-related attacks that he has observed and researched since October of 2013 (more than two years). Although his testimony was somewhat colored by his opinions on the matter, Berlind primarily channeled the take-aways from two year’s worth of API attacks in a way that would inform anybody interested in the challenges of securing APIs. In other words, his testimony is as broadly applicable to the entire API economy as it is to any vertical industry.

ONC is short for “Office of the National Coordinator for Healthcare Information Technology.” The National Coordinator is an executive (as in “Presidential”) appointment that rolls up to the Secretary of the United States Department of Healthcare and Human Services. According to the ONC’s website, the organization is:

".. at the forefront of the administration’s health IT efforts and is a resource to the entire health system to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care….ONC is the principal federal entity charged with coordination of nationwide efforts to implement and use the most advanced health information technology and the electronic exchange of health information."

At the time of the hearing (January 26, 2016), the ONC and the American health IT community were in the midst of the third and final stage (Stage 3) of the the National Coordinator’s Meaningful Use initiative. One of the third stage’s intentions is to demonstrate interoperability of Electronic Health Records (EHR) and Electronic Medical Records (EMR) between dissimilar EHR/EMR systems. A typical use case would be that of a patient who is simultaneously under the care of several doctors from different practices and hospitals, all of whom (including the patient) need to a the global view of the patient’s care and progress.

APIs are, of course naturally suited to such situations where interoperability is a mandate. However, given the extreme sensitivity of EHR/EMR data and the way in which it is regulated by the Health Insurance Portability and Accountability Act (HIPAA), the health IT community is moving towards interoperability with extreme trepidation with one of its primary concerns being the state of the state of API security. As a result, the ONC formed an API Security and Privacy Task Force to dig deeper into the concerns and among other things, solicit testimony from a diverse set of domain experts.

The experts, including Berlind, were each given five minutes to orally address a list of non-industry specific questions regarding API security. The experts were also permitted to submit additional written material. This series consists of Berlind’s written testimony which he later condensed into a 5-minute oral presentation (captured in this series' conclusion). Each of the the Task Force’s questions is addressed by a separate part of the series. Before publishing this series on ProgrammableWeb, the questions were edited for headline fit and clarity and, in a handful of cases, Berlind has provided some additional information that he believes to be useful to ProgrammableWeb's audience. For example, he added some examples of API providers like Orange and Trustpilot that target developers-at-large as well as partners through separate API offerings (and in Orange's case, separate developer portals).

This is the introduction to ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force. This introduction is taken from the overview of Berlind’s...
This is first part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- the introduction -- Berlind...
This is second part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- Part 1 -- Berlind addressed the...
This is third part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- Part 2 -- Berlind answers the...
This is fourth part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- Part 3 -- Berlind answers the...
This is fifth part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- Part 4 -- Berlind answers the...
This is sixth part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- Part 5 -- Berlind answers the...
This is seventh part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- Part 6 -- Berlind answers the...
This is eighth part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- Part 6 -- Berlind answers the...
This is ninth part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force.  In the previous part -- Part 8 -- Berlind answers the...
This is the conclusion of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force. In the previous part -- Part 9 -- Berlind answers the...