Friday, January 20, 2023

Hacking #FHIR for the benefit of the FHIR community

I am co-chair of the HL7 Security, and IHE IT-Infrastructure working groups. The dominant topic in my scope over the past 5 years has been Privacy and Security of FHIR.  I have three events that are being discussed in three different organizations, each with a different audience, but all with similar needs and goal. Everyone wants to do whatever we can do to help those implementing and deploying FHIR to do an excellent job at securing from cyber-attack, and assuring patient privacy is preserved.

HL7 is looking to develop a cybersecurity 'event' (likely virtual) that covers explaining the world of cybersecurity in FHIR, covering many of my HL7 FHIR Privacy and Security tutorial topics with expansion and hopefully some implementer explanation. Day 2 would be more hands-on, putting theory to practice, hopefully lead by some who have implemented Privacy and/or Security in products. As part of Day 2 we would like to have some production class systems available for hacking exercises.

As part of this hacking exercise, I am actively working with Alissa Knight, of past Hacking FHIR fame, to have a similar thing done at her general API cybersecurity conference -- APIsecure Conference: The world's first and only API security conference. Last year I presented, this year we want to go more hands-on.  I am also working with IHE-USA/HIMSS for a similar event.  Alissa has agreed to help out with the HL7 and IHE/HIMSS events.

These three hacking exercises do have different audiences with different goals, where the APIsecure conference are mature hackers that don't know FHIR, the HL7 event will be mature FHIR people that don't know hacking, and the HIMSS/IHE-USA will be a broader audience. The goal is to enable the general cybersecurity professionals to be ready to help FHIR implementations, the FHIR implementers to understand the need and methods, and the executives an understanding of the risk and potential.

These three hacking exercises need volunteer FHIR implementations (similar to Alissa's last hacking FHIR exercise). Those that offer up their systems will get details of any problems found, but the details and attribution will not be made public.  So, I am looking for vendors that have a FHIR Server implementation that are willing to provide an instance that can be put before the attackers, preferably a VM that can be restarted easily.

I am also looking for people to sign up to present or help create/review content.

The APIsecure conference is in March; the other two have no set dates at this time.


No comments:

Post a Comment