IHE ITI Tech met last week and had a very productive meeting. It seems we are getting the hang of virtual meetings. I will say that they are still about 50% as productive as a face-to-face. There are times at which we are more productive, but there are times when the virtualness gets in the way. This can be due to the lack of non-verbal queues (oh, you really didn't understand what I said), or inability to stand up and draw a picture on a whiteboard, or because everyone is multi-tasking.
Finished this meeting: (will take a week or two to be actually published on https://profiles.ihe.net )
mCSD Whitepaper
PIXm in IG format with Feed transaction - for Trial Implementation
PDQm in IG format - for Trial Implementation
Continuing Work Items:
Quality improvements to the HTML publication of the Technical Framework publications
Create Implementation Guide Profile ATNA auditEvent patterns for generic FHIR RESTful transactions with pattern informing IHE profile further specializing task-144
Convert Metadata Handbook to html publication without technical changes task-169
Convert MHDS to html publication without technical changes (not an IG yet) task-166
Alissa Knight did some invited and funded cyberSecurity research and found some good and some bad. No-one should be surprised by that conclusion. The point we should take from this research is that
EHRs are doing a good job of securing their FHIR implementations
FHIR is good and worthy
There is room for improvement in some implementations
There are included recommended improvements.
Some have take a very negative view of the research, most of this negativity is unfounded and driven by the fact that Alissa is excellent at marketing and drama. She has excellent presentation skills, excellent writing skills, excellent hacking skills, and excellent artwork.
This research was funded by a vendor that provides security frontend for APIs, so certainly there should be some consideration here. I, however, have good reason to believe that this funding did not influence the research. Alissa has a couple of decades of proving she knows what she is doing. This is not just fake research complaining about products that didn't use the vendors solution. Yes there is one mention that a product that did use that vendor solution was not found vulnerable, yes the vendor got mention at the bottom of the report for funding it.
This was not an attempt to bring down FHIR, but rather to challenge us all to be better. This report says nothing negative about the FHIR standard, it was focused on implementations.
There is some bad news, some implementations were specifically disgustingly bad at securing the data, and they had lots of data (aggregators). These services had signed up to be part of this research. They were informed of the problems. The report was expressing the trend, not the specific details. Alissa addressed this during the YouTube below, and also on twitter later.
Alissa hosted a Ask Me Anything on live YouTube, the recording here
Deeper dive
The report stands alone, and I have tried to come up with better ways to say what it says, but I just can't. The things that Alissa found were very remedial cyber security issues. Editing URLs in the browser to try to get at obvious other information. Using legitimate security tokens for things it was not intended to do. ... Alissa has so much deeper skills that she simply never needed to rely on. She goes into all of these details about as detailed as is reasonable without naming products.
Page 16 was critical for me. I literally was stunned. Not an exaggeration. I knew that there would likely be mistakes, hence why above I said we all should not be surprised she found issues. It was clear there would be issues found. But the class of issues found are just unexplainable. All of the issues failed to implement even the FIRST section on the FHIR Security page.
Data Aggregators were the worst offenders in my view. I know they provide a useful service, but they do it in ways that are not transparent, and they clearly don't take their responsibility seriously. They have been around for decades, so likely these same bad security implementations were just as bad on their previous proprietary "secret" APIs. The use of FHIR just makes them more obviously bad.
The last bullet on page 16 was the worse, quote:
With one patient engagement app,
the API endpoint sent me all the
patient and clinician records in its
database, indicating it was using
the mobile app to filter out just my
record.
NO WAY!!??? yup, that happened
mic drop
Conclusion:
I need to bring this back to positives... FHIR is good, the EHRs are good, many apps and services are good... but some are really NOT.
FHIR is a building block. It has so much to give to us humans (and animals). It will enable many things while it transitions from a "Standard for Trial Use" to something that is used to build CarePlans, Patient Engagement, Emergency Medicine, Disaster Management, Public Health, Artificial Intelligent clinical decision support aids, world wide COVID-19 tracking, and COVID-19 vaccine credentials... helping patients stay healthy rather than get unhealthy in the first place ...
FHIR is built upon http RESTful concepts, Document concepts, and messaging. These platforms have security and privacy layers available to be used. Healthcare does not need to invent security, we just need to implement it properly. Mostly apply the security layer to the interactions following good policies. Have bad policy, is bad. Have bad implementations, is bad. Have no security, is bad.
All systems that have access to health data need to be designed from the beginning with Privacy Principles which include Security and Security which is about (protecting risks to Confidentiality, Integrity, and Availability). Failing at "Access Control" makes me wonder about all the other opportunities to have forgotten Privacy and Security in the design.
Now is a good time to be reminded. We are not too far gone, we can do the right thing.