Thursday, June 18, 2020

IHE ITI Work Items summer 2020

ITI Tech has 5 projects happening and each have made progress in the past few weeks. I encourage participation, even if you are not a typical IHE participant. All of our projects are using GitHub, so let me know if you want to engage and have not yet gotten assigned to the proper GitHub teams. I need your GitHub username.

IHE use of IG Build tool (not exclusively ITI, but we do dominate active members)
* kanban board for this project
* github where we doing most of our work
* example of PIXm profile converted from word/pdf supplement to IG build 
* example of MHD profile using FSH/sushi authoring
* example of the SANER project using FSH/sushi authoring and Keith magic (NOTE this is an HL7 project, but Keith offers this layout as inspired by the IHE supplement layout)

HIE White paper update
* kanban board for this project
* github where the work is happening
* html rendering of current work for committee review (not proper external publication)

IHE publications in html
* kanban has not been started as too much is in flux
* publications github where we are doing our work
* html rendering of current work for committee review (not proper external publication)

IUA upgrade 
* strong use of github issues
* Team is going forward editing in markdown for supplement publication (not word doc)

SNIF White Paper promotion (more of an ITI Planning task)
* Formally published at Survey of Network Interfaces Form – Published 2020-05-29
* GitHub repo for experiment publish as html and use of GitHub Issue Tracking
* html rendering of github markdown authored for committee review
* Note we are experimenting here with using Github page publication
* Main goal at this point is to promote this to get feedback on interest in developing this further

ATNA profile specific patterns using Gazelle
* There has not been much work, but the idea is to leverage the fact that Gazelle has and needs the ATNA Audit Message patterns to enable testing.
* Future (likely the above html publications) publications of supplements and technical framework will not include the ATNA audit message pattern table inline, but rather this pattern will be defined in Gazelle and that instance will be pointed to by the IHE specification.

Tuesday, June 16, 2020

Web API security as foundation for #FHIR

I am a standards geek, and as such I am a strong advocate for standards developed and maintained by experts in their field. HL7 and IHE are where I focus my personal standards development. In the space of things that are special in Health IT. 

I resist when projects are brought to IHE or HL7 that want a standard developed or a profile developed in a technology space that is foundational to Healthcare, but where the specialization for healthcare is not needed. The following are some pointers to "Standards" that healthcare should use as is. This is not to say that there could be no specialization for healthcare, but rather that the fundamentals of these standards need to be followed first before anything special for healthcare is ever needed.

Web API Security -- OWASP Top 10 Web Application Security Risks

  1. Injection. Injection flaws
  2. Broken Authentication. 
  3. Sensitive Data Exposure. 
  4. XML External Entities (XXE). 
  5. Broken Access Control. 
  6. Security Misconfiguration. 
  7. Cross-Site Scripting XSS.
  8. Insecure Deserialization. 
  9. Using Components with Known Vulnerabilities. 
  10. Insufficient Logging & Monitoring. 

OAuth 2.0 Security Best Current Practice

This document describes best current security practice for OAuth 2.0. It updates and extends the OAuth 2.0 Security Threat Model to incorporate practical experiences gathered since OAuth 2.0 was published and covers new threats relevant due to the broader application of OAuth 2.0.

IETF Best Current Practice in security

  • BCP038 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing
  • BCP046 Recommended Internet Service Provider Security Services and Procedures
  • BCP061 Strong Security Requirements for Internet Engineering Task Force Standard Protocols
  • BCP072 Guidelines for Writing RFC Text on Security Considerations
  • BCP106 Randomness Requirements for Security
  • BCP136 Secure Connectivity and Mobility Using Mobile IPv4 and IKEv2 Mobility and Multihoming (MOBIKE)
  • BCP140 Preventing Use of Recursive Nameservers in Reflector Attacks
  • BCP188 Pervasive Monitoring Is an Attack
  • BCP194 BGP Operations and Security
  • BCP195 Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
  • BCP199 DHCPv6-Shield: Protecting against Rogue DHCPv6 Servers