Pages

Friday, March 3, 2023

#FHIR up the API Secure community

I have been invited to speak at the API Secure conference, a virtual event coming up in a few weeks. 

UPDATED: 3/14/2023 -- Here is my slide deck 

My goal is to inspire cybersecurity consulting organizations to help out the FHIR community secure their implementations. The cybersecurity community is a specialty knowledge base and has specialty tools to aid with the securing of APIs, and the proofing that the API implementation is secure. This specialty knowledge is really needed by the FHIR community.

This cybersecurity community is well aware of how to secure and validate RESTful APIs, what I intend to focus on is the opportunity presented by the FHIR specification. The value of the data is well worth making sure your implementation is provably secure. Understanding how the FHIR specification defines use of REST, can help focus appropriate use and possibility for abuse.


This event is hosted by Knight Events, as in Alissa Knight, who two years ago showed the FHIR community that there are plenty of ways in which implementers have failed to apply simple cybersecurity to their implementations of FHIR. Her research showed that there are well done implementations, especially the EHR vendors. 

I highly recommend those that are deploying FHIR products, especially servers but equally applications, involve cybersecurity experts. This might be a skill that you have within your organization but might not be. Even if you have cybersecurity experts, it is good to have occasional audits by other cybersecurity experts that might come with a different perspective and tools.

This is a virtual event, and I and Grahame spoke at last years API Secure conference.

I am also working on other events, such as one by HL7 on applying cybersecurity to FHIR I know that many are uncomfortable with talk of cybersecurity hacking and FHIR, but it is a reality. We either hack ourselves and improve our implementations, or our implementations WILL BE hacked and patient safety and privacy are harmed.


No comments:

Post a Comment