Read through tweet through now starting on @alissaknight's PLAYING WITH #FHIR: HACKING AND SECURING FHIR APIS report.
I'm going to read and give you my stream of consciousness as I'm reading. I'll blog about it later.
These are my notes, and the tag is #HackingFHIR
I'm going to read and give you my stream of consciousness as I'm reading. I'll blog about it later.
These are my notes, and the tag is #HackingFHIR
P1: "Alissa Knight has spent the last year focusing on hacking
Fast Healthcare Interoperability and Resources (FHIR) APIs,... #HackingFHIR
Fast Healthcare Interoperability and Resources (FHIR) APIs,... #HackingFHIR
Yup, I read her last report on a related topic, and can attest there's a big investment in time, and her credentials are solid as a white hat hacker #HackingFHIR
Also page 1: Graphics are awesome, but also intense, and somewhat dark. There's some really solid attention to presentation #HackingFHIR
#HackingFHIR
Table of Contents is 3 pages for 14 lines of text and lots of art. Good if you like art. Speaks of attention to presentation, and good marketing. Most policy people seem to avoid art.
Table of Contents is 3 pages for 14 lines of text and lots of art. Good if you like art. Speaks of attention to presentation, and good marketing. Most policy people seem to avoid art.
For context, this material is presented in the same way that we'd see a commercial marketing piece, but way better done. And it is in fact just that, but also more, the content is also likely better done b/c attention to fine detail. #HackingFHIR
It requires hard work to unflip the bozo switch (see simulationpl.com/blog/newslette…) that marketing content does for most of us. Do it. You will be glad you did. #HackingFHIR
A point that security professionals like @alissaknight will understand.
Provenance is important. When it is suspect, so is your content. Marketing content does not present good provenance.
But for others, there are many sources of provenance. Use them all. #HackingFHIR
Provenance is important. When it is suspect, so is your content. Marketing content does not present good provenance.
But for others, there are many sources of provenance. Use them all. #HackingFHIR
A lot of the shit-storm that this report has kicked up stems from the marketing origin. Stop caring about that. Get the facts from it, and unhype the data. Interpret what you read, instead of just intuiting from surface presentation. #HackingFHIR
Damning summary on Page 5
“An effective kill chain in the targeting of the healthcare industry will not be of the EHR ... but in the third-party FHIR aggregators and third-party apps ... where security has been found to be flagrantly lacking." -- @alissaknight
#HackingFHIR
“An effective kill chain in the targeting of the healthcare industry will not be of the EHR ... but in the third-party FHIR aggregators and third-party apps ... where security has been found to be flagrantly lacking." -- @alissaknight
#HackingFHIR
Someone (@ONC_HealthIT) should take note: Rushing to market can lead to dangerous inattention to security.
"My malaise grew quickly over the past six months as the healthcare industry rushed to meet regulatory deadlines ... [b/c of fines] tied to this new law."
#HackingFHIR
"My malaise grew quickly over the past six months as the healthcare industry rushed to meet regulatory deadlines ... [b/c of fines] tied to this new law."
#HackingFHIR
Supporting this work were leaders in @HL7, including
@GrahameGrieve, @johnmoehrke, Epic, @Cerner, and
@StanfordCDH. This is NOT just marketing.
#HackingFHIR
@GrahameGrieve, @johnmoehrke, Epic, @Cerner, and
@StanfordCDH. This is NOT just marketing.
#HackingFHIR
In fact, @GrahameGrieve is quoted in the report: "I want to thank Alissa Knight for shining the spotlight on our
industry's security practices. I look forward to a follow up
report where she has to work much harder to find security issues in FHIR implementations.”
#HackingFHIR
industry's security practices. I look forward to a follow up
report where she has to work much harder to find security issues in FHIR implementations.”
#HackingFHIR
By page 10, the Providence markers have vastly improved. Bozo button successfully unflipped.
The report could have improved on that. The note on page 7 might have been moved up to page 2 before the table of contents.
#HackingFHIR
The report could have improved on that. The note on page 7 might have been moved up to page 2 before the table of contents.
#HackingFHIR
This is not about #FHIR. This is about implementations.
"Vulnerabilities discovered in this research are not
inherent to FHIR. Remember that FHIR is only a “blueprint” or framework and how it is
implemented is up to the implementor."
#HackingFHIR
"Vulnerabilities discovered in this research are not
inherent to FHIR. Remember that FHIR is only a “blueprint” or framework and how it is
implemented is up to the implementor."
#HackingFHIR
4 providers, 48 apps tested. A small set, but also damning penetration numbers (100%).
Standard security testing. All in a security pro's tool-kit (for both white or black hats).
1. Static Code Analysis
2. Network Traffic Analysis
3. Behavior Analysis
4. Fuzzing
#HackingFHIR
Standard security testing. All in a security pro's tool-kit (for both white or black hats).
1. Static Code Analysis
2. Network Traffic Analysis
3. Behavior Analysis
4. Fuzzing
#HackingFHIR
Deep shit: Vulnerabilities in one specific mobile app for medication and prescription management allowed
me to make unauthorized changes to other patient records besides my own.
#HackingFHIR
me to make unauthorized changes to other patient records besides my own.
#HackingFHIR
And 100% of mobile apps were subject to #WITM (woman in the middle) attacks.
Perhaps also to MITM attacks to, but only for smart men ;-)
And 53% had hard-coded secrets (passwords) embedded in the code). WTAF?
#HackingFHIR
Perhaps also to MITM attacks to, but only for smart men ;-)
And 53% had hard-coded secrets (passwords) embedded in the code). WTAF?
#HackingFHIR
OK, so this is the big surprise to me. At least 25 apps made it to market without adequate security testing.
Checking for embedded tokens should be part of ANY application security scan, #HealthIT or otherwise.
This is JUST BASIC Security so far.
#HackingFHIR
Checking for embedded tokens should be part of ANY application security scan, #HealthIT or otherwise.
This is JUST BASIC Security so far.
#HackingFHIR
"For the vulnerabilities allowing me
unauthorized access to other
patient data, I was logged in as a
patient that should have limited
scope to just my records."
I nailed that one here: motorcycleguy.blogspot.com/2021/10/respon…
But there's more @alissaknight found
#HackingFHIR
unauthorized access to other
patient data, I was logged in as a
patient that should have limited
scope to just my records."
I nailed that one here: motorcycleguy.blogspot.com/2021/10/respon…
But there's more @alissaknight found
#HackingFHIR
"With one patient engagement app,
the API endpoint sent me all the
patient and clinician records in its
database, indicating it was using
the mobile app to filter out just my
record."
This is unconscionable security negligence
#HackingFHIR
the API endpoint sent me all the
patient and clinician records in its
database, indicating it was using
the mobile app to filter out just my
record."
This is unconscionable security negligence
#HackingFHIR
I cannot actually interpret the graphics on page 17 because they lack explanation. There's a standard way in research to report a) the nature of the data, and distinguish that from b) the results. It's not clear whether tables on page 17 represent a or b or both.
#HackingFHIR
#HackingFHIR
I think @alissaknight should read some @EdwardTufte. The charts on page 17 clearly have been through marketing hands. The scales aren't labeled and don't make sense, the heights don't line up.
I'm hoping that later text will clarify this.
#HackingFHIR
I'm hoping that later text will clarify this.
#HackingFHIR
The infographic on page 18 has same info as chart on the right of page 17.
Smaller company's apps were more likely affected, but I suspect that represents the input data set limitations, since all apps were affected.
#HackingFHIR
Smaller company's apps were more likely affected, but I suspect that represents the input data set limitations, since all apps were affected.
#HackingFHIR
There's a way to present this that I've learned from my MBI program through @OHSUInformatics. This research report would have benefitted in reporting in that fashion. Sure, use cool graphics, but present the expected material in the expected order.
#HackingFHIR
#HackingFHIR
I'd love to ask @williamhersh to grade this as if he were grading a research report, based solely on expected content (not formatting or style). It would be lucky to get a C. That doesn't mean the content in this report is bad. Far from it.
#HackingFHIR
#HackingFHIR
I got a D in geometry in 10th grade not because I couldn't come up with the right answer, but because I always skipped the (to me) obvious steps. This report does that too.
#HackingFHIR
#HackingFHIR
We know that 4 healthcare institutions and 48 apps were tested, but how many companies? And how many apps from the same company? There has to be at least 4, and at most 46 (though unlikely), probably somewhere around 25-ish. But that number is not reported yet.
#HackingFHIR
#HackingFHIR
Why is that important? Because I cannot interpret the results without understanding the population behind the data for the results being reported. If you report on quantities (or percentiles) for companies, you need to give me N for companies.
#HackingFHIR
#HackingFHIR
On to recommendations at page 21:
This is an interesting comment:
"If there existed some formal certification body for apps, and the certification status of a given app could be programmatically verified ..."
#HackingFHIR
This is an interesting comment:
"If there existed some formal certification body for apps, and the certification status of a given app could be programmatically verified ..."
#HackingFHIR
It's interesting because someone who spent a year hacking FHIR isn't aware of formal certification bodies for apps.
1. healthcareglobal.com/technology-and…
2. inboundwriter.com/technology/wha…
3. hon.ch/en/certificati…
4. ncbi.nlm.nih.gov/pmc/articles/P…
That's two pages of a google search.
#HackingFHIR
1. healthcareglobal.com/technology-and…
2. inboundwriter.com/technology/wha…
3. hon.ch/en/certificati…
4. ncbi.nlm.nih.gov/pmc/articles/P…
That's two pages of a google search.
#HackingFHIR
A day or two of research would have greatly added value to this report. How many of these Apps were HACP, HonCode certified or developed by a HITRUST certified company?
We don't know, and I suspect that @alissaknight doesn't either, a follow-up would be good.
#HackingFHIR
We don't know, and I suspect that @alissaknight doesn't either, a follow-up would be good.
#HackingFHIR
Same page also has a great recommendation:
"App developers should be using a
public client architecture."
Basically, treat your app as if ALL of the code is open source. And THEN secure it.
#HackingFHIR
"App developers should be using a
public client architecture."
Basically, treat your app as if ALL of the code is open source. And THEN secure it.
#HackingFHIR
These last two pages expose a weakness in the report. There's great data right alongside a failure to do the right research. How do I trust this report?
That's what deep reading will do for you. This isn't a peer reviewed article. But it still has good stuff.
#HackingFHIR
That's what deep reading will do for you. This isn't a peer reviewed article. But it still has good stuff.
#HackingFHIR
Dynamic client registration, mentioned at the end of this report (see datatracker.ietf.org/doc/html/rfc75…), is still a work in progress. Not in standards, but in deployment. #HealthIT is behind general IT in deployment of this kind of thing, my guess is by about 2-3 years.
#HackingFHIR
#HackingFHIR
If you haven't figured it out yet, I'm having to pause for a bit in my deep reading, but should get back to it later this afternoon/evening.
#HackingFHIR
#HackingFHIR
This should likely be a Condition of Certification from @ONC_HealthIT :
Require that FHIR app developers & data aggregators perform regular penetration testing that includes static & dynamic code analysis of their apps before connecting into production EHR systems.
#HackingFHIR
Require that FHIR app developers & data aggregators perform regular penetration testing that includes static & dynamic code analysis of their apps before connecting into production EHR systems.
#HackingFHIR
Sadly, it seems that others laws might need to be in place to enable @ONC_HealthIT to regulate what constitutes good security and privacy practices that might be applied by Health Information Networks as defined in 45 CFR 171.102 ecfr.gov/current/title-…
This is another interesting recommendation:
Mandate that certificate pinning
be implemented on all SMART on
FHIR mobile apps.
It makes sense when the developer controls the front and back end (See owasp.org/www-community/…)
...
#HackingFHIR
Mandate that certificate pinning
be implemented on all SMART on
FHIR mobile apps.
It makes sense when the developer controls the front and back end (See owasp.org/www-community/…)
...
#HackingFHIR
But when they don't, then what. And some other notable authorities disagree about the use of certificate pinning: digicert.com/blog/certifica…
I'm all for it where appropriate. This is where I acknowledge, I don't know the right answer, and am confused by the experts.
#HackingFHIR
I'm all for it where appropriate. This is where I acknowledge, I don't know the right answer, and am confused by the experts.
#HackingFHIR
Which experts do we listen to and when? And just as for doctors or lawyers, with N security professionals in the room, one is likely to get M > N opinions.
#HackingFHIR
#HackingFHIR
Yes!
"Remember the chain of custody in
EHR data and the large supply
chain attack surface created by the
implementation of FHIR."
We are creating, with #FHIR, an ecosystem for #HealthIT.
That is what this report is about, and that is what is presently broken.
#HackingFHIR
"Remember the chain of custody in
EHR data and the large supply
chain attack surface created by the
implementation of FHIR."
We are creating, with #FHIR, an ecosystem for #HealthIT.
That is what this report is about, and that is what is presently broken.
#HackingFHIR
An API threat management
solution that prevents data from
reaching your API endpoints unless
the request is tokenized will ...
Hmm, what does the sponsor of this effort sell?
And how does that affect the provenance of this report?
That's a part of the shit-storm.
#HackingFHIR
solution that prevents data from
reaching your API endpoints unless
the request is tokenized will ...
Hmm, what does the sponsor of this effort sell?
And how does that affect the provenance of this report?
That's a part of the shit-storm.
#HackingFHIR
There, I fixed it for you:
M̲y̲ ̲s̲p̲o̲n̲s̲o̲r̲'̲s̲ T̸h̸e̸ ̸A̸p̸p̸r̸o̸o̸v̸ ̸ solution effectively prevented my malicious traffic from reaching API endpoints that I tested.
#HackingFHIR
M̲y̲ ̲s̲p̲o̲n̲s̲o̲r̲'̲s̲ T̸h̸e̸ ̸A̸p̸p̸r̸o̸o̸v̸ ̸ solution effectively prevented my malicious traffic from reaching API endpoints that I tested.
#HackingFHIR
How does the previous statement impact the provenance of the recommendations? Too much.
How does it impact the relevance of those recommendations? None at all.
Don't be surprised that it's difficult for some people to work through that cognitive dissonance.
#HackingFHIR
How does it impact the relevance of those recommendations? None at all.
Don't be surprised that it's difficult for some people to work through that cognitive dissonance.
#HackingFHIR
More good advice:
When creating different apps for
different healthcare providers,
don’t use the same database to
store the patient records for each
provider.
It will ALSO improve your application performance, and shouldn't cost you MORE for infrastructure.
#HackingFHIR
When creating different apps for
different healthcare providers,
don’t use the same database to
store the patient records for each
provider.
It will ALSO improve your application performance, and shouldn't cost you MORE for infrastructure.
#HackingFHIR
So true!
"Adversaries don’t need to attempt to
breach hospital networks in order to
get to the EHR data anymore with the
introduction of this new ecosystem of
apps and data aggregators being built
on top of them."
#HackingFHIR
"Adversaries don’t need to attempt to
breach hospital networks in order to
get to the EHR data anymore with the
introduction of this new ecosystem of
apps and data aggregators being built
on top of them."
#HackingFHIR
Page 44: Hardcoded API Keys and AWS Keys
This is stuff that kids in middle school can crack these days. There is NO rocket science, specialized SecOps stuff needed here.
#HackingFHIR
This is stuff that kids in middle school can crack these days. There is NO rocket science, specialized SecOps stuff needed here.
#HackingFHIR
For Appendix B through F, I will say it again:
Bind the access control restrictions associated with the original access request into your secured tokens, and use them to check access.
#HackingFHIR
Bind the access control restrictions associated with the original access request into your secured tokens, and use them to check access.
#HackingFHIR
For appendix G&H, I must say:
If you offer write capacity in any way, invest double or treble the effort you in securing applications.
This is where people can die as a result of unsecured data access. Threats so far have been to privacy, but this threatens life
#HackingFHIR
If you offer write capacity in any way, invest double or treble the effort you in securing applications.
This is where people can die as a result of unsecured data access. Threats so far have been to privacy, but this threatens life
#HackingFHIR
And I'll add to that, if your present investment is zero, the threat to your organization's capacity to survive is greater than you can bear. One caught screwup can cost you millions. The price of a decent penetration test is a 3-4 order of magnitude lower.
#HackingFHIR
#HackingFHIR
To summarize, this is a good report, with a lot of good data you need to take seriously. It has some problems that make that difficult. Ignore it at your own peril.
#HackingFHIR
#HackingFHIR
Understanding the report author's goals and motivations, both personal and professional is an important key in understanding how to read a report like this. In terms of COI, I think this report had two MILDLY questionable statements in 57 pages.
...
#HackingFHIR
...
#HackingFHIR
In terms of quality, the content here, with a few small modifications, could easily make it through peer review.
I've seen worse in peer reviewed journals, and the art isn't nearly as good.
#HackingFHIR
I've seen worse in peer reviewed journals, and the art isn't nearly as good.
#HackingFHIR
• • •
Missing some Tweet in this thread? You can try to
force a refresh
