This is fourth part of ProgrammableWeb’s series on Understanding the Realities of API Security. It is based on the testimony offered by ProgrammableWeb’s editor-in-chief David Berlind to the ONC’s API Security and Privacy Task Force. In the previous part -- Part 3 -- Berlind answers the following question posed by the ONC: How Do You Determine Who Gets Access To Your API?
This is a great question because as I have become intimately familiar with the ins and outs and intricacies and nuances of API security over the last two years, I have reached the conclusion that the industry could benefit from the existence of a “Good Housekeeping Seal of Approval” for API security along with a widely recognized and accepted regime to back it up. I’ve also given a lot of thought to how such a program would be structured and would operate. Such a certification could apply to both developers and API providers, but currently does not exist in the API economy (more on this later).
Back to the question at hand, PayPal’s API terms of service say that developers who are storing credit card data as a part of transacting with the PayPal API must comply with Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS) standards and the documentation evidencing this compliance must be provided upon request. It’s also possible that when PHI is involved, certain EHR/EMR providers require developers to satisfy certain HIPAA requirements (or certifiably demonstrate an understanding of those requirements) before they will be allowed access to an API. Such requirements would not easily scale in an LSUD environment. However, it isn’t hard to imagine a set of certifiable requirements being applied in an SSKD structured API program where such a program might be more easily managed.
Short of a standard certification program that SSKD-minded API providers (and developers) could turn to for such a requirement, there are no doubt certain API providers who have established certain security and privacy requirements that they themselves check/audit in order for developers to maintain their API privileges. It should be noted that this “need” cuts both ways. Developers who are mindful of their security and privacy of the users of their applications would also benefit from the ability to choose API providers who have certifiably taken measures to protect users whose Personally Identifiable Information (PII) is passing through their API(s).