What challenges arise when performing security testing on healthcare APIs using FHIR standards?