API Automation in Healthcare with Hasura


Interoperability, security and privacy are essential parameters in modern healthcare information systems. Records are maintained in multiple data stores and formats. There are legacy systems in different facilities. Building an app for a modern-day healthcare solution requires the complex wiring of these legacy systems, different formats of data and standards and automating them through a data API layer that is secure, highly performant and can be consumed easily by developers across different organizations.

Hasura is a Data API Platform that removes the tedious parts of building and operating production data APIs – reducing cost, complexity, and time to market. Hasura connects to databases (legacy or modern, existing or new) and generates GraphQL APIs instantly.

In this post, we will look at how low-code API approaches like Hasura helps accelerate the modernization journey of applications in the healthcare space.

Data Standards in Healthcare with Hasura API Demos

Healthcare data management involves a variety of standards designed to ensure data interoperability, privacy, and security. Here are some common standards that are widely used by enterprises to manage data.

HL7 v2

Health Level Seven v2 (HL7v2) is a standard clinical messaging format for data exchange between medical information systems. Introduced in the early 1980s, it is still widely used for healthcare data worldwide.

Considering the standard Electronic Medical Record (EMR) in a relational database like PostgreSQL, Hasura can be used to automate the CRUD APIs instantly. Hasura’s eventing system helps with sending HL7 v2 messages between facilities managing patient records.

Demo: Try out the HL7 v2 model with Hasura APIs


Fast Healthcare Interoperability Resources (FHIR) is a standard introduced by HL7 as an alternative to HL7 v2 and v3 standards. FHIR leverages RESTful standards for APIs.

Hasura on top of an FHIR model will give you instant GraphQL CRUD along with a declarative Authorization layer and the benefits of a high-performance, unified data layer.

Demo: Try out the FHIR model with Hasura APIs


The Observational Medical Outcomes Partnership (OMOP) Common Data Model (CDM) is an open community data standard, designed to standardize the structure and content of observational data and to enable efficient analyses that can produce reliable evidence. OHDSI leverages the OMOP model to bring out the value of health data through large-scale analytics.

Hasura when connected to a CDM in a relational database can specifically be beneficial in querying relational data via GraphQL with added advantage of security via the declarative Authorization layer.

Demo: Try out the OHDSI model with Hasura APIs


SNOMED Clinical Terms is a systematically organized collection of medical terms used in clinical documentation and reporting. The RF2 format comes with greater flexibility for config management of SNOMED terms.

There are schema models representing SNOMED in popular relational databases such as PostgreSQL, MySQL, MSSQL etc. Connecting Hasura to this data model will take care of API automation, thereby allowing you to work on the literature use cases of SNOMED.

Note: You have to import SNOMED - CT to the DB and connect the DB to Hasura to get the APIs instantly.

Healthcare App Modernization

Modernization initiatives are usually massive cross-org undertakings with significant time, money, and people investment. And, building (or rebuilding) the API layer to wire modern and legacy components together are often the slowest, most arduous part of the process. For example, consider the massive API development lift in a transformation project that decomposes a large monolith SQL Server with 100s of stored procedures to a database-per-service microservices model.

In a healthcare app, some concerns around modernization could be:

  • Moving from XML to JSON and other modern standards.
  • Migrating from legacy data systems to a more modern database(s).
  • API-driven app with standards like REST/GraphQL.
  • Maintaining regulatory compliance despite the changes.

Hasura supports modern API standards of REST/GraphQL with JSON. It can connect to your legacy databases* and help you incrementally migrate to modern databases tailored for specific workloads. Hasura is also compliant with industry security standards. Let us look at how Hasura helps you automate the data access layer.

API Automation

According to the Postman 2022 State of API survey, 51% of developers' time is spent writing APIs. For certain types of modernization projects (for example, modernizing legacy APIs or building a federated API service), that percentage could increase.

Even in the most tech-savvy organizations, developers are spending an inordinate amount of time building, maintaining, operating, and scaling the APIs. Furthermore, a huge chunk of the typical API development work is tedious, non-differentiated work with a big opportunity cost to it. All that time spent writing boilerplate API code is time not spent on building innovation or adding a competitive edge. Companies in the healthcare space are not necessarily tech-first and even within the ones which are, it is a lot of resources being spent on boilerplate API code.

What does Hasura automate?

With Hasura, you can go from a new or existing data source to a rich and flexible API in minutes. Once connected to a database, Hasura automatically generates a GraphQL endpoint with all the core GraphQL operations like queries, mutations, and subscriptions to cater for all CRUD use cases. You can instantly start querying with filtering, sorting, pagination, joins, pattern search, and much more.

All the information needed to generate the API endpoint is stored in the Hasura Metadata, which lets you declaratively create simple or complex domain API models from underlying physical data models spread across one or more data sources. The Hasura Metadata can be dynamically configured in the Hasura Console or via the Hasura CLI, which lets you easily integrate Hasura into your enterprise CI/CD processes.

“If we had gone the traditional way this process would have taken us 2-4 years. With Hasura we have been able to crunch it to just under a year. Achieving this timeframe in a highly regulated environment like healthcare is phenomenal.”
Karthik Srinivasan, Solution Architect, Philips Healthcare
API Development with and without Hasura
API Development with and without Hasura

REST Endpoints

If you are coming from an existing legacy system and if you would like to maintain the tooling around it for monitoring, caching and other Ops side of things, you could leverage the RESTified endpoints feature that Hasura provides.

Hasura can map a GraphQL query to an equivalent REST API query, so you can define the parameters for and slowly use REST APIs before transitioning to GraphQL across the team.

Read more about RESTified endpoints with Hasura.

"By using Hasura we cut the development time in half and built our product in 3 months & built-in role-based authorization system made it easy to secure our data."
Mark Erdmann, Software Engineer, Pulley

Security and Compliance

Compliance with healthcare data regulations is non-negotiable. Hasura Cloud is designed to help companies follow the three tenets of information security: confidentiality, integrity, and availability. As part of our certification process, we have external agencies conduct routine testing to ensure we’re maintaining industry standards. To incentivize the community for an extra layer of scrutiny, we also offer a path for responsible disclosure.

  • SOC 2 Type II compliant
  • HIPAA compliant
  • Regularly penetration tested
  • ISO Certified
  • GDPR compliant

Declarative and powerful role-based access control

Hasura has a native Authorization system and advanced security features essential for compliance with regulations like HIPAA and GDPR. Hasura's granular role-based access control ensures that data is accessed only by authorized users, reducing the risk of data breaches and associated costs.

Whenever possible, Hasura can automatically push down the authorization check in the data query itself. This provides an enhanced security benefit by avoiding additional lookups where it can be avoided and not fetching unauthorized or unnecessary data from the data source. There is an added performance boost and cost savings as well.

“The beauty of Hasura is that we can manage the data through Postgres and we can leverage the data through the APIs that are available both internally and externally. We don’t intend to have every piece of data in the clinical platform - Hasura allows us to manage the data from the database as well as from the API.”
Nagaraja Nayak, VP Enterprise Clinical Tech, Optum

In clinical platforms, not every data needs to be exposed to the outside world. And there are some which are accessed internally by admins and technicians. Optum was able to make use of Hasura’s access control system to manage data in the database as well as from the API.

Audit Logs

Healthcare is a highly regulated industry, so it is critical to have an audit trail to analyze who accessed what data and when. You should be able to audit, debug, and analyze logs from all your services, apps, and platforms at scale.

Hasura provides first-party integrations with multiple observability platforms and is fully open-telemetry compliant. For all API requests, the logs are emitted with details for both success and error type responses. Learn more about Hasura’s http-log. You get details like user role, user ID, execution time and a few other details to figure out who made a given query, and at what time and create an audit trail for any given user.

API Allow Lists and Limits

Allows lists on Hasura can be configured to safely permit a limited number of GraphQL operations (queries/mutations/subscriptions) for your project. You can review and approve operations, and create collections of role-based allow lists if required. By limiting access to a defined set of known and trusted entities, healthcare providers can protect patient data from potential unauthorized access or malicious activities. This also reduces the attack surface and reduces the risk of data breaches.

Rate Limiting in Hasura helps in controlling resource usage. When accessing patient data in a healthcare setting, it is important to ensure equitable access without a particular user blocking resources with a series of API requests.

OWASP Top 10

OWASP is most famous for the “Top Ten” framework for structuring secure applications. As the industry expands into a micro-service-driven approach, it’s important for organisations to validate all of their dependencies according to the OWASP framework.

Hasura’s security-first approach ensures that the Top 10 security features and criteria are fulfilled. Read more: How Hasura addresses the OWASP Top 10 concerns. On the other hand, when you are building your own GraphQL server and writing authorization logic, you will need to ensure that the Top 10 concerns are handled to be secure and compliant.

Unified Health Records with Data Federation

Fragmented patient data across different systems can delay various processes in healthcare workflows. Hasura's unified data graph provides an integrated view of patient health records, leading to speedier, more accurate diagnoses.

The best part about this unification is that it doesn’t need any code changes both in the upstream service provider and also within Hasura. Data Federation works out of the box and is driven by configuration.

Hasura’s approach to GraphQL and Data Federation is:

  1. Declarative: You can declaratively add sub-domains (GraphQL, REST, databases, etc.) to Hasura to get a federated API. Unlike alternatives, you do not need to make any proprietary modification to your GraphQL servers to bring them into your “supergraph”
  2. Multi-protocol support: Federation in Hasura is not restricted to just GraphQL. You can federate instantly across databases, REST APIs, and of course GraphQL APIs as well.
  3. Schema registry: Schema Registry makes it easy to evolve the scheme in a transparent, controlled, and collaborative manner

High performance, in real-time

In healthcare, there’s often a high volume of data, especially real-time data and a highly performant and reliable API can significantly improve the user experience. Real-time access to data, such as patient records, reports are critical for effective and timely decision-making.

Hasura is a high-performance GraphQL engine, which compiles an incoming GraphQL request to a single SQL query, with all the necessary authorization embedded within the query. This way, it is possible to query any level of nested relational data very quickly. Most patient records have a lot of nested data to query and also in real-time. Add in Authorization rules and you know that it will quickly become complicated if you had to do your own API dealing with such sensitive data.

Read more on How Hasura scales to 1 million active GraphQL subscriptions (live queries).


Hasura has helped many Fortune 500 companies such as Optum and Philips Healthcare to harness the power of our data-access API engine to modernize their extensive clinical platform and improve healthcare systems for millions of customers in just over three months. Hasura can power an enterprise-level healthcare system with modern digital standards, high-performance API, a highly secured data access layer and compliance with industry standards for data regulations.

Try out Hasura

Sign up to start your journey with Hasura Cloud today. If you are an enterprise looking to learn more about how Hasura fits in your app modernization strategy, reach out to us through the Contact Us form and our team will get back to you.

Reading Resources

27 Jun, 2023
Subscribe to stay up-to-date on all things Hasura. One newsletter, once a month.
Accelerate development and data access with radically reduced complexity.