This morning I presented to the India FHIR-Connectathon on the topic:
Mantras for Secure FHIR Development
The slides are available in google slide desk. Summarized below ---
Alissa Knight -- White Hat Hacker
The New Healthcare Ecosystem will depend on FHIR APIs, but are They Secure?
My reactionGrahame’s reaction
- EHRs are doing a good job of securing their FHIR implementations
- FHIR is good and worthy
- There is room for improvement in some implementations
- There are included recommended improvements.
Media Hype
- The report explicitly notes that no vulnerabilities were found or are documented in the EHR FHIR implementations themselves.
- Nevertheless, lots of vulnerabilities were found. All of them are very basic house-keeping stuff well covered in the OWASP top ten risks.
- Many media outlets did not get the facts right at all. Or even the impressions
- Don’t trust the media, read the report
Basic failure to secure
- Resource-Server not enforcing scopes in the OAuth token
- Change the URL by the attacker (change the Patient id parameter)
- Given a read-only token, able to change data (change a medication of another patient)
- Client/Server architecture where all data is sent to the Client
- A Patient Engagement App… the client was being used by a Patient on the Patients computer
- Resource-Server not validating tokens
- Intercept a legitimate client app request, extract out the OAuth token, put that token into a request from your hacking client - so enforce timeouts and refresh cycles
- Clients with hardcoded API keys in the app
- Not hard for a hacker to decompile your app and find keys
Hack yourself before someone else does it for you
- Your API or App will be attacked, better that you prepare
- Look to cybersecurity experts - this is both a skill and an attitude
- There are recommendations like from OWASP - https://www.owasp.org/
- Don’t assume tokens are valid, don’t assume token authorizes the request
- Audit Logging of everything, and regularly inspect the logs for deviations
- Provide a way for Vulnerabilities to be reported
- Methods: https://securitytxt.org/, or https://dnssecuritytxt.org/, or https://disclose.io/
- Expect issues to be reported, and be prepared (first response matters!)
- OAuth and TLS have Best Current Practices written by experts
Questions are welcome
HHS 405(d) Aligning Health Care Industry Security Approaches
ReplyDeletehttps://405d.hhs.gov/public/navigation/home
I know nothing about this group
ReplyDeleteHealth-ISAC Inc. (H-ISAC, Health Information Sharing and Analysis Center), is a global, non-profit, member-driven organization offering healthcare stakeholders a trusted community and forum for coordinating, collaborating and sharing vital physical and cyber threat intelligence and best practices with each other.
https://h-isac.org/
Thanks John for the info in the comments. Very useful
ReplyDelete