Friday, December 10, 2021

Mantras for Secure FHIR Development

This morning I presented to the India FHIR-Connectathon on the topic:

Mantras for Secure FHIR Development

The slides are available in google slide desk. Summarized below ---

Alissa Knight -- White Hat Hacker

The New Healthcare Ecosystem will depend on FHIR APIs, but are They Secure?

My reaction
  1. EHRs are doing a good job of securing their FHIR implementations
  2. FHIR is good and worthy
  3. There is room for improvement in some implementations
  4. There are included recommended improvements.
Grahame’s reaction
  1. The report explicitly notes that no vulnerabilities were found or are documented in the EHR FHIR implementations themselves.
  2. Nevertheless, lots of vulnerabilities were found. All of them are very basic house-keeping stuff well covered in the OWASP top ten risks.
Media Hype
  1. Many media outlets did not get the facts right at all. Or even the impressions
  2. Don’t trust the media, read the report

Basic failure to secure

  1. Resource-Server not enforcing scopes in the OAuth token
    • Change the URL by the attacker (change the Patient id parameter)
    • Given a read-only token, able to change data (change a medication of another patient)
  2. Client/Server architecture where all data is sent to the Client
    • A Patient Engagement App… the client was being used by a Patient on the Patients computer
  3. Resource-Server not validating tokens
    • Intercept a legitimate client app request, extract out the OAuth token, put that token into a request from your hacking client - so enforce timeouts and refresh cycles
  4. Clients with hardcoded API keys in the app
    • Not hard for a hacker to decompile your app and find keys

Hack yourself before someone else does it for you

  • Your API or App will be attacked, better that you prepare
  • Look to cybersecurity experts - this is both a skill and an attitude
  • There are recommendations like from OWASP -
  • Don’t assume tokens are valid, don’t assume token authorizes the request
  • Audit Logging of everything, and regularly inspect the logs for deviations
  • Provide a way for Vulnerabilities to be reported
  • OAuth and TLS have Best Current Practices written by experts

Questions are welcome


  1. HHS 405(d) Aligning Health Care Industry Security Approaches

  2. I know nothing about this group

    Health-ISAC Inc. (H-ISAC, Health Information Sharing and Analysis Center), is a global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating and sharing vital physical and cyber threat intelligence and best practices with each other.

  3. Thanks John for the info in the comments. Very useful