Share this page!

Keith W. Boone Profile picture
Twitter logo
15 Oct, 54 tweets, 26 min read
Read through tweet through now starting on @alissaknight's PLAYING WITH #FHIR: HACKING AND SECURING FHIR APIS report.

I'm going to read and give you my stream of consciousness as I'm reading. I'll blog about it later.

These are my notes, and the tag is #HackingFHIR
P1: "Alissa Knight has spent the last year focusing on hacking
Fast Healthcare Interoperability and Resources (FHIR) APIs,... #HackingFHIR
Yup, I read her last report on a related topic, and can attest there's a big investment in time, and her credentials are solid as a white hat hacker #HackingFHIR
Also page 1: Graphics are awesome, but also intense, and somewhat dark. There's some really solid attention to presentation #HackingFHIR
#HackingFHIR
Table of Contents is 3 pages for 14 lines of text and lots of art. Good if you like art. Speaks of attention to presentation, and good marketing. Most policy people seem to avoid art.
For context, this material is presented in the same way that we'd see a commercial marketing piece, but way better done. And it is in fact just that, but also more, the content is also likely better done b/c attention to fine detail. #HackingFHIR
It requires hard work to unflip the bozo switch (see simulationpl.com/blog/newslette…) that marketing content does for most of us. Do it. You will be glad you did. #HackingFHIR
A point that security professionals like @alissaknight will understand.

Provenance is important. When it is suspect, so is your content. Marketing content does not present good provenance.

But for others, there are many sources of provenance. Use them all. #HackingFHIR
A lot of the shit-storm that this report has kicked up stems from the marketing origin. Stop caring about that. Get the facts from it, and unhype the data. Interpret what you read, instead of just intuiting from surface presentation. #HackingFHIR
Damning summary on Page 5

“An effective kill chain in the targeting of the healthcare industry will not be of the EHR ... but in the third-party FHIR aggregators and third-party apps ... where security has been found to be flagrantly lacking." -- @alissaknight

#HackingFHIR
Someone (@ONC_HealthIT) should take note: Rushing to market can lead to dangerous inattention to security.

"My malaise grew quickly over the past six months as the healthcare industry rushed to meet regulatory deadlines ... [b/c of fines] tied to this new law."

#HackingFHIR
Supporting this work were leaders in @HL7, including
@GrahameGrieve, @johnmoehrke, Epic, @Cerner, and
@StanfordCDH. This is NOT just marketing.

#HackingFHIR
In fact, @GrahameGrieve is quoted in the report: "I want to thank Alissa Knight for shining the spotlight on our
industry's security practices. I look forward to a follow up
report where she has to work much harder to find security issues in FHIR implementations.”

#HackingFHIR
By page 10, the Providence markers have vastly improved. Bozo button successfully unflipped.

The report could have improved on that. The note on page 7 might have been moved up to page 2 before the table of contents.

#HackingFHIR
This is not about #FHIR. This is about implementations.

"Vulnerabilities discovered in this research are not
inherent to FHIR. Remember that FHIR is only a “blueprint” or framework and how it is
implemented is up to the implementor."

#HackingFHIR
4 providers, 48 apps tested. A small set, but also damning penetration numbers (100%).

Standard security testing. All in a security pro's tool-kit (for both white or black hats).

1. Static Code Analysis
2. Network Traffic Analysis
3. Behavior Analysis
4. Fuzzing

#HackingFHIR
Deep shit: Vulnerabilities in one specific mobile app for medication and prescription management allowed
me to make unauthorized changes to other patient records besides my own.

#HackingFHIR
And 100% of mobile apps were subject to #WITM (woman in the middle) attacks.

Perhaps also to MITM attacks to, but only for smart men ;-)

And 53% had hard-coded secrets (passwords) embedded in the code). WTAF?

#HackingFHIR
OK, so this is the big surprise to me. At least 25 apps made it to market without adequate security testing.
Checking for embedded tokens should be part of ANY application security scan, #HealthIT or otherwise.

This is JUST BASIC Security so far.

#HackingFHIR
"For the vulnerabilities allowing me
unauthorized access to other
patient data, I was logged in as a
patient that should have limited
scope to just my records."

I nailed that one here: motorcycleguy.blogspot.com/2021/10/respon…

But there's more @alissaknight found

#HackingFHIR
"With one patient engagement app,
the API endpoint sent me all the
patient and clinician records in its
database, indicating it was using
the mobile app to filter out just my
record."

This is unconscionable security negligence

#HackingFHIR
I cannot actually interpret the graphics on page 17 because they lack explanation. There's a standard way in research to report a) the nature of the data, and distinguish that from b) the results. It's not clear whether tables on page 17 represent a or b or both.

#HackingFHIR
I think @alissaknight should read some @EdwardTufte. The charts on page 17 clearly have been through marketing hands. The scales aren't labeled and don't make sense, the heights don't line up.

I'm hoping that later text will clarify this.

#HackingFHIR
The infographic on page 18 has same info as chart on the right of page 17.

Smaller company's apps were more likely affected, but I suspect that represents the input data set limitations, since all apps were affected.

#HackingFHIR
There's a way to present this that I've learned from my MBI program through @OHSUInformatics. This research report would have benefitted in reporting in that fashion. Sure, use cool graphics, but present the expected material in the expected order.

#HackingFHIR
I'd love to ask @williamhersh to grade this as if he were grading a research report, based solely on expected content (not formatting or style). It would be lucky to get a C. That doesn't mean the content in this report is bad. Far from it.

#HackingFHIR
I got a D in geometry in 10th grade not because I couldn't come up with the right answer, but because I always skipped the (to me) obvious steps. This report does that too.

#HackingFHIR
We know that 4 healthcare institutions and 48 apps were tested, but how many companies? And how many apps from the same company? There has to be at least 4, and at most 46 (though unlikely), probably somewhere around 25-ish. But that number is not reported yet.

#HackingFHIR
Why is that important? Because I cannot interpret the results without understanding the population behind the data for the results being reported. If you report on quantities (or percentiles) for companies, you need to give me N for companies.

#HackingFHIR
On to recommendations at page 21:

This is an interesting comment:
"If there existed some formal certification body for apps, and the certification status of a given app could be programmatically verified ..."

#HackingFHIR
It's interesting because someone who spent a year hacking FHIR isn't aware of formal certification bodies for apps.

1. healthcareglobal.com/technology-and…
2. inboundwriter.com/technology/wha…
3. hon.ch/en/certificati…
4. ncbi.nlm.nih.gov/pmc/articles/P…

That's two pages of a google search.

#HackingFHIR
A day or two of research would have greatly added value to this report. How many of these Apps were HACP, HonCode certified or developed by a HITRUST certified company?

We don't know, and I suspect that @alissaknight doesn't either, a follow-up would be good.

#HackingFHIR
Same page also has a great recommendation:

"App developers should be using a
public client architecture."

Basically, treat your app as if ALL of the code is open source. And THEN secure it.

#HackingFHIR
These last two pages expose a weakness in the report. There's great data right alongside a failure to do the right research. How do I trust this report?

That's what deep reading will do for you. This isn't a peer reviewed article. But it still has good stuff.

#HackingFHIR
Dynamic client registration, mentioned at the end of this report (see datatracker.ietf.org/doc/html/rfc75…), is still a work in progress. Not in standards, but in deployment. #HealthIT is behind general IT in deployment of this kind of thing, my guess is by about 2-3 years.

#HackingFHIR
If you haven't figured it out yet, I'm having to pause for a bit in my deep reading, but should get back to it later this afternoon/evening.

#HackingFHIR
This should likely be a Condition of Certification from @ONC_HealthIT :

Require that FHIR app developers & data aggregators perform regular penetration testing that includes static & dynamic code analysis of their apps before connecting into production EHR systems.

#HackingFHIR
Sadly, it seems that others laws might need to be in place to enable @ONC_HealthIT to regulate what constitutes good security and privacy practices that might be applied by Health Information Networks as defined in 45 CFR 171.102 ecfr.gov/current/title-…
This is another interesting recommendation:

Mandate that certificate pinning
be implemented on all SMART on
FHIR mobile apps.

It makes sense when the developer controls the front and back end (See owasp.org/www-community/…)

...

#HackingFHIR
But when they don't, then what. And some other notable authorities disagree about the use of certificate pinning: digicert.com/blog/certifica…

I'm all for it where appropriate. This is where I acknowledge, I don't know the right answer, and am confused by the experts.

#HackingFHIR
Which experts do we listen to and when? And just as for doctors or lawyers, with N security professionals in the room, one is likely to get M > N opinions.

#HackingFHIR
Yes!

"Remember the chain of custody in
EHR data and the large supply
chain attack surface created by the
implementation of FHIR."

We are creating, with #FHIR, an ecosystem for #HealthIT.

That is what this report is about, and that is what is presently broken.

#HackingFHIR
An API threat management
solution that prevents data from
reaching your API endpoints unless
the request is tokenized will ...

Hmm, what does the sponsor of this effort sell?
And how does that affect the provenance of this report?

That's a part of the shit-storm.

#HackingFHIR
There, I fixed it for you:

M̲y̲ ̲s̲p̲o̲n̲s̲o̲r̲'̲s̲ T̸h̸e̸ ̸A̸p̸p̸r̸o̸o̸v̸ ̸ solution effectively prevented my malicious traffic from reaching API endpoints that I tested.

#HackingFHIR
How does the previous statement impact the provenance of the recommendations? Too much.

How does it impact the relevance of those recommendations? None at all.

Don't be surprised that it's difficult for some people to work through that cognitive dissonance.

#HackingFHIR
More good advice:

When creating different apps for
different healthcare providers,
don’t use the same database to
store the patient records for each
provider.

It will ALSO improve your application performance, and shouldn't cost you MORE for infrastructure.

#HackingFHIR
So true!

"Adversaries don’t need to attempt to
breach hospital networks in order to
get to the EHR data anymore with the
introduction of this new ecosystem of
apps and data aggregators being built
on top of them."

#HackingFHIR
Page 44: Hardcoded API Keys and AWS Keys

This is stuff that kids in middle school can crack these days. There is NO rocket science, specialized SecOps stuff needed here.

#HackingFHIR
For Appendix B through F, I will say it again:

Bind the access control restrictions associated with the original access request into your secured tokens, and use them to check access.

#HackingFHIR
For appendix G&H, I must say:

If you offer write capacity in any way, invest double or treble the effort you in securing applications.

This is where people can die as a result of unsecured data access. Threats so far have been to privacy, but this threatens life

#HackingFHIR
And I'll add to that, if your present investment is zero, the threat to your organization's capacity to survive is greater than you can bear. One caught screwup can cost you millions. The price of a decent penetration test is a 3-4 order of magnitude lower.

#HackingFHIR
To summarize, this is a good report, with a lot of good data you need to take seriously. It has some problems that make that difficult. Ignore it at your own peril.

#HackingFHIR
Understanding the report author's goals and motivations, both personal and professional is an important key in understanding how to read a report like this. In terms of COI, I think this report had two MILDLY questionable statements in 57 pages.
...
#HackingFHIR
In terms of quality, the content here, with a few small modifications, could easily make it through peer review.
I've seen worse in peer reviewed journals, and the art isn't nearly as good.

#HackingFHIR

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Keith W. Boone

Keith W. Boone Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @motorcycle_guy

Keith W. Boone Profile picture
11 Dec 20
OK, now it's time to review @AMugge's rule, more formally titled: Medicaid Program; Patient Protection and Affordable Care Act; Reducing Provider and Patient Burden by Improving Prior Authorization Processes, and Promoting Patients’ Electronic Access to Health Information for...
Medicaid Managed Care Plans, State Medicaid Agencies, CHIP Agencies and CHIP Managed Care Entities, and Issuers of Qualified Health Plans on the Federally-facilitated Exchanges; Health Information Technology Standards and Implementation Specifications
A title so long, it fills two tweets.

Simplified it's the second full length novel in the Payers on FHIR series from CMS, subtitled the Beginning of the End of EDI
Read 132 tweets
Keith W. Boone Profile picture
11 Dec 20
#NewHIPAA Proposed Privacy Rule Thread starting. These are my notes, there'll be a blog post summarizing these later. 1/??? And I'm not even going to try to count these or tag all with #NewHIPAA, I'll just keep them in this thread.

357 pages, PDF here: hhs.gov/sites/default/…
Basically this is needed because healthcare providers say "I can't do that b/c HIPAA, and patients say "yes you can", and lawyers say "but ...", and trees, we need to save some trees.

A lot of the input on this rule came from a request for information in 2018.
The big points are: Give me my damn data, and let me take notes, and do it faster, and you can get it in the form and format that you ask for, w/o having to bring umpteen forms of id, clarifying when you can be charged, changing the fee structure, making fees more transparent ...
Read 71 tweets
Keith W. Boone Profile picture
20 Mar 20
If it looks to you like the exponent on infection growth rate is increasing, you are probably right. I just looked at the 5-day LOGEST values (estimate the exponential growth based on last 5 days activity), and the rate has risen 4 out of the last 5 days. Testing just started... Image
So, this isn't scary to me YET. What it means is not that the real exponential growth rate of infection is increasing, but rather that the rate of our knowledge of exponential rate is increasing. But more testing is still needed to get the numbers to settle down ...
There's gonna be lots of numbers for the epidemiologists and hyper-mathy folks to study RE impact of testing volumes (see ) on estimates of real growth rate when this is over. I don't recall signing up for that clinical trial though.
Read 11 tweets
Keith W. Boone Profile picture
11 Mar 20
O for a Muse of FHIR, that would transcend
The brightest HL7 of invention,
A country for a stage, CEOs to act
And patients to behold the swelling scene!
#Cures #VHC
Then should the humble Posnack, like himself,
Assume the port of Mars; and at his heels,
Leash'd in like hounds, should famine, sword and fire
Crouch for employment.
#Cures

cc: @HealthIT_Policy
But pardon, and gentles all,
The flat unraised spirits that have dared
On this unworthy parchment to bring forth
So great an object: can this cockpit hold
#Cures
Read 13 tweets
Keith W. Boone Profile picture
12 Feb 19
Starting at page 221 with the regulation itself (see how I do this...I skip to the regs first, I’ll go back through the preface material later) #PatientAccess cms.gov/Center/Special…
In the following, mom is simply how I think about the phrase "Medicare Enrollee". It could be dad, uncle Fred, my buddy Glen et cetera. #PatientAccess is about the patient.
So, mom's MA organization has to provide APIs that allow her to use an app (after mom approves it) to access standardized claim data, adjudications, appeals, provider payments (remittances) and co-payments (cost-sharing) within one business day of claim processing. #PatientAccess
Read 182 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @motorcycle_guy has new unrolls!

Check out other threads from @motorcycle_guy!

Read all threads by @motorcycle_guy

:(