FHIR storm erupts over scary vulnerabilities in third-party apps

In the real world, Australia and New Zealand began to put into action their respective roadmaps out of lockdown this week as vaccination numbers rose to much hoped-for levels. However, in the somewhat obscure world of health IT standards, a quite remarkable report was released late last week that has stimulated a firestorm of debate over the basic security of healthcare data.

Las Vegas-based cybersecurity analyst, former hacker and content creator Alissa Knight – who going by her bio and her Knight Ink business description is surely to become the subject of a novel one day if not a pretty cool movie – released the second phase of a year-long research project she has undertaken into the basic security of apps and aggregators drawing data from FHIR APIs linked to electronic medical records and other patient record databases.

Using what she says are pretty basic techniques, Ms Knight revealed that she was able to find “pervasive server-side authentication and authorization vulnerabilities” in FHIR APIs that allowed her to access over four million records just using her own patient login.

Even more scarily, she was able to show that she could access information in what she says is a widely deployed medication app and was not only able to read the prescription information, but to change the actual dosage. Hacking a patient engagement app allowed her to access the patient and clinician records in its whole database.

“100% of the FHIR mobile apps tested did not have protections against woman-in-the-middle (WITM) attacks enabling hackers to harvest credentials and steal or manipulate confidential patient data,” she writes. “100% of FHIR APIs tested allowed API access to other patient's health data using one patient's credentials.”

Ms Knight is at pains to point out there is no problem with the FHIR standard itself, and she believes that the security of EMR platforms is quite good. (She specifically thanks chief information security officers from Cerner and Epic in helping her with the research.) The big problem, she says, is with the implementation of FHIR APIs by third-party app developers and clinical data aggregators, who are often not using standard security processes.

“My work in this area is not to disparage the hard work of [FHIR’s] creators, but of what can go wrong when it isn’t implemented properly – a shift left and shield right approach to cybersecurity,” she says.

There are a couple of good plain-English reports outlining the research for non-tech folk – see stories in Fiercehealthcare and SC Magazine – and if you’d like to read a synopsis of the research and the full report – you really should – you can ask for a free download here.

There has been intense discussion in not just the FHIR and healthcare IT community about this report but on cybersecurity forums in general, particularly in the US where the Health Insurance Portability and Accountability Act (HIPAA) has real regulatory clout.

FHIR creator Grahame Grieve blogged last week that while it was clear no vulnerabilities were found in the EHR FHIR implementations themselves, a lot of vulnerabilities were found in third-party apps nonetheless. All of these vulnerabilities, he said, could easily be solved by compliance with the OWASP Top 10 list for developers and web application security.

Closer to home, the other big story this week concerned moves by the two leading online appointment booking services, HotDoc and HealthEngine, to capitalise on the huge interest in their platforms precipitated by the coronavirus pandemic. HealthEngine has been around for a long time and despite a few legal and PR hiccups in recent years, has always had good technology as well as the market leading position in the early years.

HealthEngine is now kicking some big goals in the pharmacy appointment space, signing up big banner groups like TerryWhiteChemmart, and this week it scored an even bigger coup with Sigma Healthcare to roll out its patient appointment management solution in Amcal and Guardian chemists. The company is also gearing up for a public float, reinforcing current views that there is some good money in technology stocks at the moment. The Australian Financial Review is touting it could list for a market cap of $100 million.

(By the way, HealthEngine also insists to Pulse+IT that despite a lot of industry chatter, it is most definitely not going to take one of the big GP practice management system vendors to court for anti-competitive behaviour over preferred partner arrangements.)

HotDoc, which we think is now the market leader in the GP space, is also going great guns. It has received a lot of consumer interest during the pandemic for its agility in listing vaccine appointments, and it has also tied up a deal with specialist medical practice software vendor Genie Solutions to handle specialist bookings. The AFR says it is looking to raise $30 million in a Series D raise, usually the last step before a public float, and we are confident it will get there.

That brings us to our poll question for the week:

Should all healthcare organisations offer online bookings?

Vote here or leave your comments below.

In our poll last week we asked: are the vaccination passports being rolled out going to be a help or a hindrance? Most said they’d be a help (64 per cent v 36 per cent). Here are some of the reasons why.


0 # Kate McDonald 2021-10-29 12:21
Most respondents agreed with our question: 71 per cent said yes, 29 per cent said no. We also asked an optional question of whether the benefits outweigh the costs. Here’s what you thought:

- Yes

- Healthcare needs to catch up with most other sectors of the economy that offer online bookings and transactions.

- Patient choice is a very positive benefit in health along with streamlining business practices

- Yes

- Decreasing friction to seeing a clinician is important

- In todays age and technology where many patients like to have that autonomy of seeing what appointments are available based on their own availability, and also not wanting to hold on a call while the admin attends to them or checks on the availability, it's important to have online booking options. It might not be for everyone as many still like to talk to someone or are not tech suavy to do this.

- I think people having to make bookings on line will lead to more accountability ie people turn up for appointments ! The booking would have to have caveats noted eg if you do not attend and don’t give 3 days notice, you appointment unfortunately will be cancelled. A booking cannot be rescheduled for another 3 months unless you contact us within the nominated timeframe , this will allow equity of access for others on our wait list

- there is definitely lot of interest from customers/patie nts to be able to book online without having to call and speak to someone. From their perspective, if they can book online with the Hairdresser, Gym session or Uber, why can't they do the same with healthcare organisation.

- 1000% - Patients are ultimately consumers, and access to healthcare services at the time the consumer wants will be increasingly critical for healthcare businesses that wish to thrive into the future. The average Australian patient's expectations around the level of experience they should receive when trying to transact with their preferred healthcare providers has risen and continues to rise rapidly as technology is being more widely adopted by providers. Covid has increased this momentum significantly. If you as a healthcare business don't provide patients the 24/7 access and experiences they want for their money (or the government's/in surance providers money), you'll get left behind. It's like any other retailer that doesn't offer the ability to pay by credit card, it's almost now non-existent. Online bookings for healthcare (all healthcare) will be exactly the same in time.

- Yes my experience in dental practice was patients like it as they can make appointments when they come home say after dinner even though the clinic is closed

- Yes

- No

- NO

- It is a signficant time and money cost factor in healthcare delivery

- Probably

- Yes
- Definitely. Giving people the ability to choose times that suit them, plus allow for notification of cancelled appointments and rescheduling is all done by a system, not a person, which is a huge timesaver and much better for consumer satisfaction

- Yes

- Yes, consumer experiences

- yes

- In most instances, yes. Offering online bookings has the knock-on effect that aggregator tools can "see" area availabilities, a type of Discovery for computers, which is otherwise near impossible to acquire

- The majority of customers like the sense of control they have over appointments. They'll likely choose a service based on ease of interaction.

- Not for my niche practice. I am booked out, with closed books.

You need to log in to post comments. If you don't have a Pulse+IT website account, click here to subscribe.

Sign up for Pulse+IT eNewsletters

Sign up for Pulse+IT website access

For more information, click here.

Copyright © 2022 Pulse+IT Communications Pty Ltd
No content published on this website can be reproduced by any person for any reason without the prior written permission of the publisher.
Supported by Social Media Agency | pepperit