Thursday, March 21, 2024

CyberSecurity recommendation

My top recommendation is to look to experts in that field. I mostly participate in healthcare standards organizations such as HL7, IHE, and DICOM. These standards organizations focus on health informatics interoperability, they are not experts in CyberSecurity. These healthcare standards always recommend that you use standards developed by appropriate standards organizations. See the 2023 HL7 Cyber Security Event with all recordings available now. My HL7 FHIR Security and Privacy Education track.

My second top recommendation is to make it very clear that Security (and Privacy, and Safety) are risk domains. Meaning that you must manage them according to risk, not a checklist. A checklist can help you be comprehensive in your analysis, but it can't help you determine the actual risk, and it can't decide for you what level or risk you are willing to accept. I covered risk in a blog article 12 years ago, and it is still relevant.

  • I prefer NIST Cybersecurity Framework (CSF) because it is free, and it is very readable. This is a high-level roadmap for managing comprehensive cybersecurity risk.  It can be used by large and small organizations.
  • I know that some are forced to use ISO 27001 and 270002. I am okay with these, but accessibility to ISO specifications is a big problem. This is international specification, so is seen as appropriate everywhere outside the USA. There is a large number of consulting firms that can help with the implementation of this.
  • In the USA the HITRUST organization, although expensive, has a crosswalk of all the cybersecurity frameworks; and a methodology to record evaluation and decisions. This would be my recommendation if an organization didn't have experts on staff and needed to get started.

HITRUST and NIST are just as applicable outside the USA, but I also recognize that some see anything with a USA focus to be bad for use outside the USA.
  • For specific things like a FHIR or even a SOAP interface, is where I would add the prioritization and clarity that OWASP brings. 

Of course, we leverage other standards by security experts including IETF(https, tls, s/mime, oauth, certs), and W3C (signatures, prov, p3p, soap), ETSI (XAdES, PAdES, JAdES), NIST (AES, SHA), etc. 

What is your recommendation?

PS, sorry about the AI authored answer a few weeks ago - Give me a cyber security check list for FHIR RESTful API Systems, but you will note it is similar.

Saturday, March 2, 2024

Give me a cyber security check list for FHIR RESTful API Systems

So I asked Gemini, googles latest AI...

Cyber Security Checklist for FHIR RESTful API Systems

FHIR (Fast Healthcare Interoperability Resources) is a standard for healthcare data exchange. It is important to secure FHIR RESTful API systems to protect sensitive patient data. Here is a checklist to help you secure your FHIR API system:

Authentication and Authorization

  • Implement strong authentication: Use a standard like OAuth 2.0 or OpenID Connect to authenticate users and clients. This will help to ensure that only authorized users and applications can access the API.
  • Implement authorization: Use a fine-grained authorization system to control what users and applications can do with the API. This includes what data they can access, what operations they can perform, and what resources they can create, read, update, and delete.
  • Use strong passwords: Enforce strong password policies for all users. This includes requiring a minimum password length, complexity requirements, and regular password changes.

Data Security

  • Encrypt data at rest and in transit: Use strong encryption algorithms to protect patient data at rest and in transit. This will help to prevent unauthorized access to the data, even if it is intercepted.
  • Mask sensitive data: Mask sensitive data, such as Social Security numbers and credit card numbers, before returning it from the API. This will help to prevent unauthorized disclosure of the data.
  • Implement logging and auditing: Log all API access attempts, including successful and failed attempts. This will help you to track who is accessing the API and what they are doing.

Other Security Measures

  • Keep software up to date: Regularly update your FHIR server software and any other software that is used to access the API. This will help to fix security vulnerabilities that could be exploited by attackers.
  • Perform regular security assessments: Regularly assess the security of your FHIR API system to identify and fix any vulnerabilities.
  • Monitor for suspicious activity: Monitor your FHIR API system for suspicious activity, such as unauthorized access attempts or unusual data access patterns.

By following these recommendations, you can help to secure your FHIR RESTful API system and protect sensitive patient data.

Additional points to consider:

  • Rate limiting: Implement rate limiting to prevent denial-of-service attacks.
  • Input validation: Validate all input to the API to prevent malicious attacks, such as SQL injection attacks.
  • Error handling: Handle errors gracefully and avoid returning sensitive information in error messages.
  • Security awareness: Train your staff on the importance of security and how to protect patient data.

By following these recommendations, you can help to ensure the security of your FHIR RESTful API system and protect sensitive patient data.