FHIR storm erupts over scary vulnerabilities in third-party apps
In the real world, Australia and New Zealand began to put into action their respective roadmaps out of lockdown this week as vaccination numbers rose to much hoped-for levels. However, in the somewhat obscure world of health IT standards, a quite remarkable report was released late last week that has stimulated a firestorm of debate over the basic security of healthcare data.
Las Vegas-based cybersecurity analyst, former hacker and content creator Alissa Knight – who going by her bio and her Knight Ink business description is surely to become the subject of a novel one day if not a pretty cool movie – released the second phase of a year-long research project she has undertaken into the basic security of apps and aggregators drawing data from FHIR APIs linked to electronic medical records and other patient record databases.
Using what she says are pretty basic techniques, Ms Knight revealed that she was able to find “pervasive server-side authentication and authorization vulnerabilities” in FHIR APIs that allowed her to access over four million records just using her own patient login.
Even more scarily, she was able to show that she could access information in what she says is a widely deployed medication app and was not only able to read the prescription information, but to change the actual dosage. Hacking a patient engagement app allowed her to access the patient and clinician records in its whole database.
“100% of the FHIR mobile apps tested did not have protections against woman-in-the-middle (WITM) attacks enabling hackers to harvest credentials and steal or manipulate confidential patient data,” she writes. “100% of FHIR APIs tested allowed API access to other patient's health data using one patient's credentials.”
Ms Knight is at pains to point out there is no problem with the FHIR standard itself, and she believes that the security of EMR platforms is quite good. (She specifically thanks chief information security officers from Cerner and Epic in helping her with the research.) The big problem, she says, is with the implementation of FHIR APIs by third-party app developers and clinical data aggregators, who are often not using standard security processes.
“My work in this area is not to disparage the hard work of [FHIR’s] creators, but of what can go wrong when it isn’t implemented properly – a shift left and shield right approach to cybersecurity,” she says.
There are a couple of good plain-English reports outlining the research for non-tech folk – see stories in Fiercehealthcare and SC Magazine – and if you’d like to read a synopsis of the research and the full report – you really should – you can ask for a free download here.
There has been intense discussion in not just the FHIR and healthcare IT community about this report but on cybersecurity forums in general, particularly in the US where the Health Insurance Portability and Accountability Act (HIPAA) has real regulatory clout.
FHIR creator Grahame Grieve blogged last week that while it was clear no vulnerabilities were found in the EHR FHIR implementations themselves, a lot of vulnerabilities were found in third-party apps nonetheless. All of these vulnerabilities, he said, could easily be solved by compliance with the OWASP Top 10 list for developers and web application security.
Closer to home, the other big story this week concerned moves by the two leading online appointment booking services, HotDoc and HealthEngine, to capitalise on the huge interest in their platforms precipitated by the coronavirus pandemic. HealthEngine has been around for a long time and despite a few legal and PR hiccups in recent years, has always had good technology as well as the market leading position in the early years.
HealthEngine is now kicking some big goals in the pharmacy appointment space, signing up big banner groups like TerryWhiteChemmart, and this week it scored an even bigger coup with Sigma Healthcare to roll out its patient appointment management solution in Amcal and Guardian chemists. The company is also gearing up for a public float, reinforcing current views that there is some good money in technology stocks at the moment. The Australian Financial Review is touting it could list for a market cap of $100 million.
(By the way, HealthEngine also insists to Pulse+IT that despite a lot of industry chatter, it is most definitely not going to take one of the big GP practice management system vendors to court for anti-competitive behaviour over preferred partner arrangements.)
HotDoc, which we think is now the market leader in the GP space, is also going great guns. It has received a lot of consumer interest during the pandemic for its agility in listing vaccine appointments, and it has also tied up a deal with specialist medical practice software vendor Genie Solutions to handle specialist bookings. The AFR says it is looking to raise $30 million in a Series D raise, usually the last step before a public float, and we are confident it will get there.
That brings us to our poll question for the week:
Should all healthcare organisations offer online bookings?
Vote here or leave your comments below.
In our poll last week we asked: are the vaccination passports being rolled out going to be a help or a hindrance? Most said they’d be a help (64 per cent v 36 per cent). Here are some of the reasons why.