This article highlights security/privacy concerns in an applications ecosystem using FHIR APIs. The headline is a bit misleading, although the article points out that the risks aren’t really FHIR risks, rather risks of opening up data access to a bunch of apps and integrators. Still, an interesting read and a good caution for all of us as we build out this kind of ecosystem in Aotearoa.
3 Likes
Thanks @john.carter.
Grahame Grieve has an interesting take on this (and some pointers to advice/frameworks) in his latest blog:
…|<
1 Like
A sobering read.
The critical question is “Is this an intrinsic part of the FHIR philosophy, or can the holes be plugged?”
I’d tend towards the former interpretation, as it seems you need to plug this particular hole with something the size of Ever Given.
My 2c, Dr Jo.
Hi Jo,
I think the message should be that any enterprise opening IP addresses/ports to access Web Services (or other internet traffic) needs to engage with specialist security advice and penetration testing services if they don’t have a security distributed systems person with very up to date education on team. In fact probably more than just one person, as various threats can emerge from vulnerabilities in the frameworks you rely on and are out of your control.
FHIR should be treated the same as any other REST service on the open internet - that’s what it is. Employing VPNs, and other techniques (depends on whether there are humans in the loop) may be required.
We always get a specialist to design and deploy our security strategy, and test our deployments for security vulnerabilities, and often retain them to keep infrastructure (application containers, VMs, operating systems etc) up to date to combat emerging threats.
I didn’t think any of these things are unique to FHIR…
Cheers
…|<
1 Like
I’ve just written about this for eHealthNews with comment from @pkjordan and Faustin Roman https://www.hinz.org.nz/news/584967/Health-apps-vulnerable-to-hacking-through-APIs.htm
2 Likes