Friday, January 20, 2023

Hacking #FHIR for the benefit of the FHIR community

I am co-chair of the HL7 Security, and IHE IT-Infrastructure working groups. The dominant topic in my scope over the past 5 years has been Privacy and Security of FHIR.  I have three events that are being discussed in three different organizations, each with a different audience, but all with similar needs and goal. Everyone wants to do whatever we can do to help those implementing and deploying FHIR to do an excellent job at securing from cyber-attack, and assuring patient privacy is preserved.


HL7 is looking to develop a cybersecurity 'event' (likely virtual) that covers explaining the world of cybersecurity in FHIR, covering many of my HL7 FHIR Privacy and Security tutorial topics with expansion and hopefully some implementer explanation. Day 2 would be more hands-on, putting theory to practice, hopefully lead by some who have implemented Privacy and/or Security in products. As part of Day 2 we would like to have some production class systems available for hacking exercises.

As part of this hacking exercise, I am actively working with Alissa Knight, of past Hacking FHIR fame, to have a similar thing done at her general API cybersecurity conference -- APIsecure Conference: The world's first and only API security conference. Last year I presented, this year we want to go more hands-on.  I am also working with IHE-USA/HIMSS for a similar event.  Alissa has agreed to help out with the HL7 and IHE/HIMSS events.

These three hacking exercises do have different audiences with different goals, where the APIsecure conference are mature hackers that don't know FHIR, the HL7 event will be mature FHIR people that don't know hacking, and the HIMSS/IHE-USA will be a broader audience. The goal is to enable the general cybersecurity professionals to be ready to help FHIR implementations, the FHIR implementers to understand the need and methods, and the executives an understanding of the risk and potential.

These three hacking exercises need volunteer FHIR implementations (similar to Alissa's last hacking FHIR exercise). Those that offer up their systems will get details of any problems found, but the details and attribution will not be made public.  So, I am looking for vendors that have a FHIR Server implementation that are willing to provide an instance that can be put before the attackers, preferably a VM that can be restarted easily.

I am also looking for people to sign up to present or help create/review content.

The APIsecure conference is in March; the other two have no set dates at this time.

 

Wednesday, January 4, 2023

Are there open-source implementations of IHE XCA and XCPD?

 Amazing how hard this is to figure out. So I asked Chat GPT OpenAI



Are there open-source implementations of IHE XCA and XCPD?





IHE (Integrating the Healthcare Enterprise) XCA (Cross-Community Access) is a set of standards for securely exchanging patient healthcare information across different healthcare organizations and systems. IHE XCPD (Cross-Community Patient Discovery) is a standard for finding and retrieving patient healthcare information from different systems.

There are several open-source implementations of IHE XCA and XCPD available. Some examples include:

XCA Adapter: This is an open-source implementation of the IHE XCA standard that has been developed by the University of Utah. It is written in Java and uses the HAPI library for HL7 messaging.


XCPD Adapter: This is an open-source implementation of the IHE XCPD standard that has been developed by the University of Utah. It is written in Java and uses the HAPI library for HL7 messaging.


OpenXCA: This is an open-source implementation of the IHE XCA standard that has been developed by the Open Health Tools project. It is written in Java and uses the HAPI library for HL7 messaging.


openxcpd: This is an open-source implementation of the IHE XCPD standard that has been developed by the Open Health Tools project. It is written in Java and uses the HAPI library for HL7 messaging.

These are just a few examples of open-source implementations of IHE XCA and XCPD that are available. There may be other options available as well.



are there links to that?





Certainly! Here are links to some open-source implementations of IHE XCA and XCPD that I mentioned earlier:

XCA Adapter: https://github.com/jamesagnew/xca-adapter


XCPD Adapter: https://github.com/jamesagnew/xcpd-adapter


OpenXCA: https://github.com/openhealthtools/openxca


openxcpd: https://github.com/openhealthtools/openxcpd

I hope these links are helpful! Let me know if you have any other questions.




are there others?





There may be other open-source implementations of IHE XCA and XCPD available. Here are a few additional resources that you might find helpful in your search for open-source implementations:

The IHE Wiki: This is a community-driven resource that provides information about IHE profiles, implementation guides, and technical frameworks. You can find more information about IHE XCA and XCPD, as well as links to open-source implementations, on the IHE Wiki.


Open Health Tools: This is a community of developers, users, and researchers who are working to create open-source tools and technologies for the healthcare industry. The Open Health Tools project includes several open-source implementations of IHE profiles, including XCA and XCPD.


OpenEMPI: This is an open-source enterprise master patient index (EMPI) system that has been developed as part of the IHE project. It includes support for IHE XCPD, as well as other IHE profiles such as XDS (Cross-Enterprise Document Sharing) and PIX (Patient Identifier Cross-Referencing).

I hope these resources are helpful in your search for open-source implementations of IHE XCA and XCPD. Let me know if you have any other questions.




are there links to that?





Certainly! Here are links to the resources I mentioned earlier:

The IHE Wiki: https://wiki.ihe.net/


Open Health Tools: https://www.openhealthtools.org/


OpenEMPI: https://openempi.github.io/

I hope these links are helpful! Let me know if you have any other questions.