API Security Testing for Healthcare and Digital Health
FHIR APIs, patient portal endpoints, and EHR integrations handle protected health information at scale. A single broken authorization vulnerability on a patient record endpoint means one authenticated user -- a patient, a clinician, or a third-party app -- can access another patient's medical data. HIPAA breach notification obligations follow.
ApyGuard tests every patient-scoped endpoint for authorization failures, scans API responses for PHI patterns, and provides the timestamped documentation healthcare security teams need for HIPAA risk analysis.
Why Healthcare APIs Are Uniquely Vulnerable
Healthcare APIs carry the most sensitive personal data that exists -- medical history, diagnoses, prescriptions, mental health records -- and they are accessed by a wide range of authenticated parties: patients, multiple clinical roles, third-party telehealth apps, lab systems, pharmacy networks, and health information exchanges. Each integration point is a potential authorization boundary failure.
FHIR APIs introduce a specific risk: the resource model uses predictable identifiers and broad resource type access. A SMART on FHIR application that requests patient/*.read scope should only access the authorized patient's resources. If the server does not enforce patient compartment access correctly, that application can read any patient's data by changing the patient ID in the request.
Legacy EHR integrations compound the problem. Many healthcare organizations expose REST APIs built on top of older HL7 v2 systems where authorization was never a design consideration. These APIs are often undocumented, never formally tested, and directly accessible over the network.
The Healthcare API Vulnerabilities We Find Most Often
These six categories cover the majority of critical and high findings in healthcare API security reviews.
Broken Object Level Authorization
Patient ID enumeration across records
An authenticated user -- a patient, clinician, or third-party app -- changes a patient ID or record ID in the request and retrieves another patient's medical history, lab results, or prescriptions. Sequential patient IDs are common in legacy EHR integrations.
Sensitive Data Exposure
PHI appearing in API responses
Endpoints return more data than required -- full date of birth when only age is needed, SSN in a profile response, diagnosis codes in a scheduling API. ApyGuard's behavior profiling scans every response for PHI patterns after deployment.
Broken Authentication
Weak auth on clinician-facing endpoints
Clinical staff endpoints that access sensitive records accept expired tokens, skip token audience validation, or allow session tokens from one application to authenticate against another. Telehealth integrations are a common source of broken auth.
Broken Object Property Level Authorization
Mass assignment on patient profile fields
Patient update endpoints accept fields that should be read-only -- diagnosis codes, insurance status, treating physician assignments, billing class. A patient or malicious actor can modify privileged clinical attributes through the API.
Broken Function Level Authorization
Patient access to clinical or admin functions
Administrative functions -- discharge a patient, modify a clinical note, access all records for a ward -- are accessible to patient-role tokens by changing the HTTP method or request path. FHIR APIs with broad resource type access are particularly vulnerable.
Unsafe Consumption of APIs
Unvalidated data from lab and pharmacy integrations
Healthcare platforms consume data from lab systems, pharmacy networks, and health information exchanges without validating response schemas. Malformed or malicious data from a partner API is processed and stored in the EHR without sanitization.
Compliance Coverage: HIPAA, HITRUST, and FHIR Security
Healthcare security programs require API testing that produces documentation, not just findings.
HIPAA Security Rule
45 CFR § 164.312 requires technical safeguards including access controls, audit controls, and transmission security for systems handling electronic PHI. API penetration testing provides documented evidence of access control and authentication control effectiveness.
HITRUST CSF
HITRUST Control Category 09 (Access Control) and 10 (Password Management) map directly to the API authentication and authorization vulnerabilities ApyGuard tests. Scan reports serve as evidence for HITRUST certification and self-assessments.
HL7 FHIR Security
FHIR R4 security implementation guidelines specify OAuth 2.0 SMART authorization, resource-level access controls, and audit event requirements. ApyGuard tests FHIR endpoint authorization patterns including resource type scope enforcement and patient compartment access.
For authoritative guidance, review the HHS HIPAA Security Rule guidance and the official 45 CFR Part 164 Subpart C text.
How ApyGuard Tests Patient and Clinical APIs
Import your FHIR or REST API spec
ApyGuard reads your OpenAPI or FHIR CapabilityStatement. For EHR integrations with undocumented legacy endpoints, use the browser extension to capture all active API routes including those not in the formal spec.
Configure credentials for each role
Provide tokens for the roles you want tested: patient, clinical staff, administrator, third-party app. ApyGuard tests BOLA and BFLA by sending requests across role boundaries.
AI generates healthcare-specific attack requests
Attack payloads are adapted to your actual patient and record ID formats. BOLA tests use real resource identifiers from your API schema, not generic numeric sequences that your validation layer would reject.
Receive a HIPAA-documentable findings report
Every finding is categorized by OWASP category, severity, and affected endpoint. Reports include the exact request, the unexpected response, and a remediation recommendation. Timestamped and exportable for compliance documentation.
Monitor API Responses for PHI After Every Deployment
Penetration testing verifies that your API did not expose PHI at the time of the scan. It does not protect against regressions introduced after deployment. A schema migration, a serializer configuration change, or a new EHR integration field can cause PHI to appear in responses that previously returned clean data.
ApyGuard's behavior profiling runs daily authenticated scans against your deployed API and checks every response for PHI patterns: names, dates of birth, SSNs, diagnosis codes, medication names, and other identifiers. If an endpoint starts returning data it should not, you get an alert before the next audit cycle.
Together, penetration testing and behavior profiling give healthcare security teams two layers of coverage: catching vulnerabilities before deployment and detecting data exposure regressions after it.
Test Every EHR Integration Deployment
Healthcare API changes -- new FHIR resource types, updated patient portal endpoints, new lab or pharmacy integrations -- all introduce authorization risk. ApyGuard integrates into your CI/CD pipeline and runs a security scan on every deployment to staging, blocking the build when critical or high findings are detected.
- name: Healthcare API Security Scan
uses: apyguard/pentest-action@v1
with:
api-spec: ./fhir-openapi.yaml
api-url: ${{ secrets. STAGING_API_URL }}
api-key: ${{ secrets. APYGUARD_KEY }}
fail-on: highSee the full automated API penetration testing feature for integration details including GitLab CI and Jenkins.
Frequently Asked Questions
Does ApyGuard help satisfy HIPAA API security requirements?
ApyGuard provides evidence of API access control and authentication testing required under the HIPAA Security Rule's technical safeguards (45 CFR § 164.312). Scan reports document which endpoints were tested, what vulnerabilities were found, and their remediation status. Your compliance team determines how this evidence maps to your specific HIPAA risk analysis and risk management program.
Can we use real patient data in test environments?
No -- and you should not need to. ApyGuard tests your API's authorization and authentication logic, not the data it returns. You configure test accounts (a test patient, a test clinician) with synthetic credentials. ApyGuard never requires access to real PHI to perform security testing.
Does ApyGuard detect PHI appearing in API responses?
Yes, through behavior profiling. After your API passes the penetration test, behavior profiling runs daily authenticated scans and checks every response for PHI patterns: names, dates of birth, SSNs, diagnosis codes, prescription data. If an endpoint that previously returned clean data starts exposing PHI -- due to a regression, a serializer bug, or a misconfigured query -- you get an alert immediately.
How do we document API security testing for a HIPAA audit or risk analysis?
Every ApyGuard scan generates a timestamped report with findings by OWASP category, severity, affected endpoint, and remediation status. Reports include scan date, scope (which endpoints were tested), methodology (OWASP API Top 10), and findings detail. These reports can be attached directly to your HIPAA risk analysis documentation and included in Business Associate Agreement evidence packages.
Related industries
Explore similar authorization challenges
These industries face overlapping API risks around object-level authorization, role boundaries, and sensitive workflow abuse.
Protect Patient Data Before the Next Deployment
Import your FHIR or REST API spec and run your first healthcare API security scan in under 30 minutes. No real patient data required.
Read the API security best practices guide.