The rise of OpenAI and new changes with ChatGPT-4 Turbo will help to revolutionize the way healthcare organizations take advantage of data, enabling them to scale their ability to provide care rapidly and stay agile in a fast-paced digital environment. Today, ChatGPT is used in this sector in various ways to improve communication, accessibility and support. For example, to enhance patient engagement, ChatGPT can be integrated into healthcare applications or websites to engage patients in conversations about their health, including medication reminders, lifestyle recommendations and tracking progress over time. ChatGPT can also be integrated into remote monitoring systems to collect and interpret patient data, providing real-time feedback and alerts to healthcare professionals.

However, the number of enterprise application programming interfaces (APIs) connecting and sharing data with generative AI systems like OpenAI has also brought new risks and vulnerabilities to the forefront. With every new API integration that OpenAI gets access to, the attack surface of a health organization grows, creating new opportunities for attackers to exploit vulnerabilities and gain access to sensitive patient and financial data or disrupt business operations.

It’s clear these same APIs that enable innovation, patient care and revenue also create new avenues for attackers to achieve successful data breaches for their gains. According to an industry study by Enterprise Strategy Group (ESG) titled “Securing the API Attack Surface,” the majority (75%) of organizations typically change or update their APIs on a daily or weekly basis, creating a significant challenge for protecting the dynamic nature of API attack surfaces.

Critical Security

API security is critical because APIs are often the important link in the security chain of modern applications. Developers often prioritize speed, features, functionality and ease of use over security, which can leave APIs vulnerable to attacks. Additionally, cloud-native APIs are often exposed directly to the internet, making them accessible to anyone. This can make it easier for hackers to exploit vulnerabilities in your APIs and gain access to your cloud-based applications. As evidence, the same ESG study also revealed most all (92%) organizations have experienced at least one security incident related to insecure APIs in the past 12 months, while the majority of organizations (57%) have experienced multiple security incidents related to insecure APIs during the past year.

One of the biggest challenges for hospitals and other healthcare organizations is protecting their APIs and proprietary data from OpenAI and other generative AI tools. With ChatGPT 4-Turbo, the technical and cost barriers for experimentation on APIs and data have substantially lowered. Further, the new support for API keys, OAuth 2.0 workflow, and Microsoft Azure Active Directory opens up data like never before. As a result, the popularity and growth of Enterprise AI assistants enabled by tools such as OpenAI’s Playground and the new “My ChatGPT” creator will invite an onslaught of new users attempting to gain access to private patient data. The intention for nearly all these new Enterprise AI experiments will be to help providers deliver better health services, but as the popularity and usage of Enterprise AI continue to surge, healthcare institutions will find themselves facing a unique dilemma. On one hand, the potential benefits of harnessing AI-powered tools like OpenAI’s Playground for automating tasks, enhancing health services, and increasing company wealth are enticing. However, this newfound capability also opens the door to unforeseen vulnerabilities as these AI agents access and interact with sensitive APIs and private data sources.

Security Concerns and Challenges

The advent of ChatGPT and Enterprise AI assistants in healthcare introduces a host of security concerns for the sector. One immediate concern is the potential for unintended protected health information (PHI) and personally identifiable information (PII) exposure or leakage as AI systems learn and adapt to their environment. While AI-driven tools aim to streamline processes and improve decision-making, they also can inadvertently access or expose private patient data which violates HIPAA, the General Data Protection Regulation (GDPR), and smaller regulations such as the statewide Confidentiality of Medical Information Act (CMIA) in California. Healthcare organizations must carefully monitor and regulate these interactions to prevent unauthorized access or misuse of private information.

Furthermore, health organizations must grapple with the challenge of securing their APIs against malicious actors who may exploit AI-powered systems for nefarious purposes, including unauthorized data access, interception and manipulation. The integration of AI agents into health processes creates an additional attack surface that can be targeted by cybercriminals seeking to breach systems, steal private data or disrupt operations. Robust security measures and continuous monitoring are essential to mitigate these risks and safeguard against potential breaches.

As ChatGPT and Enterprise AI assistants become increasingly prevalent within the health services sector, organizations must strike a delicate balance between harnessing the potential of AI for innovation and ensuring the highest standards of data protection and cybersecurity. A proactive and comprehensive approach to API security, data governance and AI-assisted decision-making is paramount to navigating these new challenges successfully while maintaining the trust of patients and regulatory bodies.

When it comes to securing APIs and reducing attack surfaces to help protect from ChatGPT threats, the cloud-native application protection platform (CNAPP) is a newer security framework that provides security specifically for cloud-native applications by protecting them against various API attack threats. CNAPPs do three primary jobs: Artifact scanning in pre-production, cloud configuration and posture management scanning, run-time observability and dynamic analysis of applications and APIs, especially in production environments. With CNAPP scanning pre-production and production environments, an inventory list of all APIs and software assets is generated. If the dynamically generated inventory of cloud assets has APIs connected to them, ChatGPT, Open AI and other AI and ML libraries can be discovered. As a result, CNAPPs help to identify these potentially dangerous libraries connected to Enterprise APIs and help to add layers of protection to prevent them from causing unauthorized exposure from API attack surfaces to protect your health organization’s reputation and patients’ private data and build trust within your community.

Ultimately, the key to managing the risks posed by expanding API attack surfaces with ChatGPT is to take a proactive approach to API management and security. When it comes to cloud security, CNAPP is well-suited for healthcare organizations with cloud-native applications, microservices and APIs that require application-level security. API security is a must-have when building out cloud-native applications, and CNAPP offers an effective approach for protecting expanding API attack surfaces, including those caused by ChatGPT.