Playing with FHIR? Don't get burned, white-hat hacker cautions

At the HIMSS Healthcare Cybersecurity Forum, consultant Alissa Knight discussed the findings of her recent white paper, which explores vulnerabilities in FHIR API implementations.
By Kat Jercich
03:29 PM

Alissa Knight at the HIMSS Healthcare Cybersecurity Forum

Photo: HIMSS Media

This October, cybersecurity expert Alissa Knight released a white paper in partnership with API threat protection vendor Aproov exploring how healthcare's so-called last mile remains vulnerable to attacks.

The report, "Playing With FHIR," was "the largest unveiling of vulnerabilities in the history of the healthcare industry since the first electronic healthcare system came online in the 1960s," said Knight in her keynote at the HIMSS Healthcare Cybersecurity Forum on Monday. (HIMSS is Healthcare IT News' parent company.)  

And its release, she noted, made an appropriately large splash.  

"While extremely controversial, [the white paper] was a much-needed red pill for the healthcare industry on the clear and present danger in what can happen when a FHIR implementation isn't properly secured," she said.  

"Congratulations, this is the very last presentation of this research," Knight added with a smile, explaining that she's ready to move on to other explorations. "'Playing With FHIR' has been over a year of my life, and it's time to close the chapter on that."  

For the report, Knight tested three production FHIR APIs, which served an ecosystem of 48 apps and APIs. All told, the ecosystem covered aggregated electronic health record data from 25,000 providers and payers.  

Knight's report, she explained, found that 4 million patient and clinician records could be accessed from a single patient login account. Furthermore, 53% of the tested mobile apps had hard-coded API keys and tokens, which could be used to attack EHR APIs.  

"It's 2021, and we're still hard-coding … it's a real problem, we need to stop doing it," she said.   

"If there are any developers in the audience: Stop hardcoding API keys and tokens in the apps, especially ones that grant you access to an API as the only authentication." She added: "If you're going to do it, definitely obfuscate the code. Don't make it so easy."  

Knight also found that 100% of FHIR APIs tested allowed API access to other patients' health data using one patient's credentials. And, she said, half of clinical data aggregators did not implement database segmentation.  

So, what can developers and decision-makers do to ensure their API implementations are secure? 

Knight laid out a few options:  

  • Hack your own APIs and apps via penetration testing – before bad actors do.
  • Authenticate and authorize traffic.
  • Implement zero-trust architecture and "woman-in-the-middle" protections. 
  • Find an API threat management tool that allows observability.
  • Prevent tool-generated traffic.  

Knight emphasized the importance of securing patient information, which is permanent and lifelong. 

"We are talking about people's patient data, which is worth 1,000 times more on the dark web than a U.S. credit card number," she said.   

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.