Thursday, October 14, 2021

Security of #FHIR implementations concerns

Security Report: "The New Healthcare Ecosystem will depend on FHIR APis, but Are They Secure?"

Alissa Knight did some invited and funded cyberSecurity research and found some good and some bad. No-one should be surprised by that conclusion. The point we should take from this research is that 

  1. EHRs are doing a good job of securing their FHIR implementations
  2. FHIR is good and worthy
  3. There is room for improvement in some implementations 
  4. There are included recommended improvements. 

Some have take a very negative view of the research, most of this negativity is unfounded and driven by the fact that Alissa is excellent at marketing and drama. She has excellent presentation skills, excellent writing skills, excellent hacking skills, and excellent artwork. 

This research was funded by a vendor that provides security frontend for APIs, so certainly there should be some consideration here. I, however, have good reason to believe that this funding did not influence the research. Alissa has a couple of decades of proving she knows what she is doing. This is not just fake research complaining about products that didn't use the vendors solution. Yes there is one mention that a product that did use that vendor solution was not found vulnerable, yes the vendor got mention at the bottom of the report for funding it.

This was not an attempt to bring down FHIR, but rather to challenge us all to be better.  This report says nothing negative about the FHIR standard, it was focused on implementations. 

There is some bad news, some implementations were specifically disgustingly bad at securing the data, and they had lots of data (aggregators). These services had signed up to be part of this research. They were informed of the problems. The report was expressing the trend, not the specific details. Alissa addressed this during the YouTube below, and also on twitter later.

Alissa hosted a Ask Me Anything on live YouTube, the recording here

Deeper dive

The report stands alone, and I have tried to come up with better ways to say what it says, but I just can't. The things that Alissa found were very remedial cyber security issues. Editing URLs in the browser to try to get at obvious other information. Using legitimate security tokens for things it was not intended to do. ...  Alissa has so much deeper skills that she simply never needed to rely on. She goes into all of these details about as detailed as is reasonable without naming products. 

Page 16 was critical for me. I literally was stunned. Not an exaggeration. I knew that there would likely be mistakes, hence why above I said we all should not be surprised she found issues. It was clear there would be issues found. But the class of issues found are just unexplainable.  All of the issues failed to implement even the FIRST section on the FHIR Security page.

Data Aggregators were the worst offenders in my view. I know they provide a useful service, but they do it in ways that are not transparent, and they clearly don't take their responsibility seriously. They have been around for decades, so likely these same bad security implementations were just as bad on their previous proprietary "secret" APIs. The use of FHIR just makes them more obviously bad.

The last bullet on page 16 was the worse, quote:
With one patient engagement app, the API endpoint sent me all the patient and clinician records in its database, indicating it was using the mobile app to filter out just my record.
NO WAY!!??? yup, that happened

mic drop


I need to bring this back to positives... FHIR is good, the EHRs are good, many apps and services are good... but some are really NOT.  

FHIR is a building block. It has so much to give to us humans (and animals). It will enable many things while it transitions from a "Standard for Trial Use" to something that is used to build CarePlans, Patient Engagement, Emergency Medicine, Disaster Management, Public Health, Artificial Intelligent clinical decision support aids, world wide COVID-19 tracking, and COVID-19 vaccine credentials...  helping patients stay healthy rather than get unhealthy in the first place ...

FHIR is built upon http RESTful concepts, Document concepts, and messaging. These platforms have security and privacy layers available to be used. Healthcare does not need to invent security, we just need to implement it properly. Mostly apply the security layer to the interactions following good policies. Have bad policy, is bad. Have bad implementations, is bad. Have no security, is bad.

All systems that have access to health data need to be designed from the beginning with Privacy Principles which include Security and Security which is about (protecting risks to Confidentiality, Integrity, and Availability).  Failing at "Access Control" makes me wonder about all the other opportunities to have forgotten Privacy and Security in the design.

Now is a good time to be reminded. We are not too far gone, we can do the right thing.

FHIR is the right standard to work with. 

Others comments


  1. another article by "STAT+" -
    I was interviewed and quoted. Mostly another reasonable article that also brings forward some of the findings. As with any article, it has some misstatements. The article makes negative statements about EHR and Imaging that neither were stated in the research report.

  2. India TV news -

    1. This article has MANY misstatements. MANY. I am not sure there is much that is accurate in this article.

    2. Note, I am quoted in the article.. but I was not interviewed. This article clearly is derived off of the STAT+ article

  3. SIFY --

    1. same as the India news article... VERY WRONG content.

  4. the Verge -

    1. I am quoted but not interviewed by the Verge. They clearly are derived off of the STAT+ article. This Verge article is short, so not much they could say that is wrong.

  5. Fierce Healthcare -

  6. Forbes --

    This article mostly focuses on third parties enabled by HealthIT, but not regulated.

  7. HL7 Blog

  8. Brilliance Security mag

    nothing new

  9. Business Wire -- source for some other publishers of this article