Case study · R1 RCM

R1 RCM builds a proactive application security program in 180 days

Healthcare leader R1 stood up a proactive, always-on program across 1,500 API endpoints in 180 days.

1,500
API endpoints validated
25,000
automated tests
180 days
to a proactive program

The challenge

As R1 scaled its healthcare technology footprint, its attack surface grew with it. The security team needed to find issues as early in the SDLC as possible, validate controls in production, and automate as much of the work as possible, without slowing the business.

What they did

After a competitive proof of concept against several application security tools, R1 chose apisec to run continuous, automated validation against every code release. apisec operated with the simplicity of a dynamic tool but the depth of a full penetration test, including business logic and data access, and integrated directly into their existing SDLC, API gateway, and ticketing systems.

The outcome

R1 stood up a proactive, always-on program in 180 days, validating 1,500 API endpoints across 25,000 automated tests and holding a 90-day SLA on critical issues, catching and resolving them before they reached production.

About R1 RCM

Company: R1
Founded:
by Mary Ann Tolan and J.Michael Cline in July 2003, headquartered in Murray, UT
Industry:
Healthcare
Recognitions:

  • 11-time Best in KLAS winner (healthcare technology awards)
  • Great Place to Work® Certified™ USA
  • 2023–2024 Leader in LGBTQ+ Workplace Equality by the Human Rights Campaign Foundation

R1 RCM Inc.makes healthcare work better for providers and patients. R1 solutions help healthcare providers manage costs, increase revenue and streamline operations so they can deliver the quality care and empowered experience that patients deserve, today and tomorrow.

Business Challenges

As R1 continues to support and grow their Healthcare customers, technology innovation is at the center of the strategy. As their technology footprint expands, the attack surface expands and risks increase. Having a secured Software and Data Security strategy that embraces API-specific security solutions is critical to provide the business with the agility to deliver value while minimizing risks.

Key Requirements

  • ShiftLeft: find issues as early in the SDLC as possible
  • Validate security controls in production
  • Automate as much as possible

Solution

After a competitivePOC review of multiple application security solutions, R1 chose apisec for its ability to deliver continuous, automated API vulnerability scanning to every code release.

Features of apisec:
  • Simple operation (like a DAST) of complex API penetration test including logic and data access
  • Easy integration into existing SDLC solutions including API gateway and ticketing systems
  • Automated, comprehensive application security testing during development

Comprehensive Coverage

“Comprehensive API security testing can be a big challenge. Our primary focus with apisec has been the thorough nature of the way the scans are executed. We are now confident in the range, depth, and cadence of the API security testing. The ability to do proactive, continuous scanning of our APIs offers a much more comprehensive approach to API security. apisec is always checking our APIs, finding vulnerabilities, and the level of detail is amazing.” ~ Cecil Pineda

Streamlined Testing Model

“apisec's pre-production, automated, and continuous API testing solution has become a critical component of R1’s security strategy, ensuring comprehensive application protection. apisec delivered exactly what we needed; an API security solution that was pretty hands off as much as possible, with strong automation and intelligence, that would allow us to understand our API landscape, and discover and address any potential issues before they reach production. The solution effectively monitors all R1’s APIs, providing real-time updates on risks and issues, which are crucial for maintaining platform security.” ~ Cecil Pineda

Speed to Value

“apisec was able to get us ramped from ground zero where we were able to rapidly onboard our APIs with no agents and no code insertion, analyze our APIs, and dynamically generate test cases, and utilize techniques of attack playbooks. Through the integration process, the apisec team was working alongside us, making it simple and seamless. It's been incredible to see significant progress against our API security in such a short amount of time.” ~ Cecil Pineda

Future Focus: Sustaining Application Security Excellence

Looking ahead, R1 sees their application security program as a cornerstone of their Software and Data Security strategy. The company plans to:

  • Expand Testing Coverage: Continue broadening the scope of application security tests to cover new functionalities and services as they evolve.
  • Enhance Automation: Increase automation within their security processes to reduce manual intervention and accelerate response times.
  • Regular Training: Invest in ongoing training for their development and security  teams to keep them updated with the latest security practices and threats.
  • Collaborate with apisec: Strengthen their partnership with apisec to leverage new features and updates that enhance their security posture.

By focusing on these areas, R1 aims to stay ahead of potential threats and ensure robust protection of their sensitive data, reinforcing their commitment to security and customer trust.

Conclusion

“R1 significantly enhanced its API security testing capabilities, ensuring comprehensive coverage and real-time risk management.This collaboration led to efficient deployment and quick time to value, proving the effectiveness of proactive and continuous API security measures in protecting sensitive data in a highly regulated healthcare industry. What sets apisec apart is not just the impressive features, but also their incredibly responsive team that works at rapid speed. apisec has simplified API security for us.” ~Cecil Pineda, CISO, R1 RCM

Do you want to join R1 and some of the world’s most successful companies that rely on apisec to protect their applications? Contact our team today to schedule a demo or get a free vulnerability assessment.

apisec's pre-production, automated, and continuous API testing solution has become a critical component of R1's security strategy, ensuring comprehensive API protection. apisec delivered exactly what we needed; an API security solution that was pretty hands off as much as possible, with strong automation and intelligence, that would allow us to understand our API landscape, and discover and address any potential issues before they reach production.

Cecil Pineda · CISO, R1