Research Shows FHIR APIs Have Critical Flaws

New research from Alissa Knight of Knight Ink shows critical flaws found in FHIR APIs which makes them vulnerable to abuse. In the report, Knight examined three FHIR APIs across an app ecosystem of 48 FHIR apps and APIs and aggregated her data from more than 25,000 health care providers and payers. Key findings show:

  • Three production FHIR APIs serving an ecosystem of 48 apps and APIs were tested
  • The ecosystem covered aggregated EHR data from 25,000 providers and payers
  • 4m patient and clinician records could be accessed from 1 single patient login account
  • 53% of mobile apps tested had hardcoded API keys and tokens which could be used to attack EHR APIs
  • 100% of FHIR APIs tested allowed API access to other patient’s health data using one patient’s credentials.
  • 50% of clinical data aggregators did not implement database segmentation allowing access to patient records belonging to other apps developed on their platform for other providers.
  • 100 percent of the mobile apps tested did not prevent person-in-the-middle attacks, enabling hackers to harvest credentials and steal or manipulate confidential patient data.

That’s not trivial. And Giora Engel, CEO and Cofounder, Neosec agrees:

“The regulatory requirements to expose healthcare data for patient access and payer interoperability forced a fast pace of digital transformation in many healthcare systems. Part of that transformation exposes inherent security risks. “

“The main problems that we see today are:

  1. No API inventory creates a blind spot for the security team. APIs that are not known to the security team can’t be reviewed and protected. 
  2. Implementation errors and misconfigurations
  3. Abuse of APIs – by authorized users or clients 

Visibility into the API footprint and behavior is an essential part of the digital transformation. “

I got additional commentary on this story. Saryu Nayyar, CEO, Gurucul had this to say: 

   “Healthcare software continues to be a sick child in supporting cybersecurity standards in the US.  Researchers have recently shown that the Fast Healthcare Interoperability Resources (FHIR) healthcare data standard has several flaws that can enable individual users to access many other health records.

While all software can be flawed in terms of security, we need to do a better job with our health care systems. We don’t typically subject health care software to any additional scrutiny, and it’s time that we did.  Software that is safety or security critical needs to be held to a higher standard, and health care is at the top of that list.”

Also, Doug Britton, CEO, Haystack Solutions had this to say:

   “This story highlights the growing and changing attack surface that 3rd party data aggregators bring and the difficulty with balancing security with convenience, access, and openness of data ecosystems. These factors are often fundamentally at odds with each other. Medical records are some of the most complexly regulated and prolific data types. Congressional legislation governing the treatment (e.g. security & handling) and access creates a challenging dynamic. Securing an app ecosystem may not be as straightforward as conceptualizing it may be. Even with design standards in place the very implementation creates the weak points hackers are so good at finding. These findings highlight the need to slow down access until design standards are established and tested. 

   “We also need to continue to invest in the next generation of cyber professionals who are experts at secure system design and development. We have the tools to find them. We need to get them into the fight and secure our critical infrastructure so we may realize the promise of FHIR.”

Seeing as sharing healthcare data is important these days, all parties involved need to do their parts to make sure that health care data remains secure.

Leave a Reply

%d bloggers like this: