tag:blogger.com,1999:blog-4201874739367831894.post2309043032208303593..comments2024-03-28T01:46:02.526-05:00Comments on Healthcare Exchange Standards: RESTful search using POST vs GET on #FHIRJohn Moehrkehttp://www.blogger.com/profile/04526719420117446030noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-4201874739367831894.post-66542395424482920222022-11-02T07:27:32.981-05:002022-11-02T07:27:32.981-05:00It's not just about securing logs. Often patie...It's not just about securing logs. Often patients have the right to have their data removed/right to be forgotten. Removing such data from logs could be a real pain. IMO it's much better to ensure sensitive data is not logged at all. PHI should be in a database, not in a log, not even when that log is secured.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4201874739367831894.post-27756959461183309662022-06-25T09:28:36.157-05:002022-06-25T09:28:36.157-05:00Nice detailed article that explains deeper than I ...Nice detailed article that explains deeper than I did https://medium.com/@robert.broeckelmann/http-post-vs-get-is-one-more-secure-for-use-in-rest-apis-2469753121b0John Moehrkehttps://www.blogger.com/profile/04526719420117446030noreply@blogger.comtag:blogger.com,1999:blog-4201874739367831894.post-39039729355781314052022-06-24T06:48:34.803-05:002022-06-24T06:48:34.803-05:00as noted on LinkedIn, the CVE for this situation i...as noted on LinkedIn, the CVE for this situation is https://cwe.mitre.org/data/definitions/598.htmlJohn Moehrkehttps://www.blogger.com/profile/04526719420117446030noreply@blogger.comtag:blogger.com,1999:blog-4201874739367831894.post-84469524423956027072022-06-23T21:55:00.630-05:002022-06-23T21:55:00.630-05:00The biggest challenge us tht too many developers a...The biggest challenge us tht too many developers accept application defaults, which put the contents of GET in more widely available and frequently inadequately protected access logs. Which means that GET is riskier, not due to properly secured systems, but due to common security failures in systems that could and should be better secured. Tomcat, Apache and IIS out of the box configs OFTEN log the GET content, but not the POST. And those access logs are controlled by the Server used by the application, rather than the application.<br /><br />Install this cool app as a WAR in your web application server implies the customer takes responsibility for web application server security. Many don’t really know how.<br /><br />Security by default suggests … use POST b/c people screw things up sometimes.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4201874739367831894.post-38173155403213791642022-06-22T15:44:51.884-05:002022-06-22T15:44:51.884-05:00I agree, but the way people are fixed to this spea...I agree, but the way people are fixed to this speaks to a lack of confidence in managing log access. Which is typically true for general web servers, but cannot be true for servers handling PHI / Clinical dataGrahame Grievenoreply@blogger.com