Contest Aims to Improve Health Data Exchange SecurityIn Search of a Security Component for the New FHIR Standard
A new standard, Health Level 7 Fast Healthcare Interoperability Resources, or FHIR, is designed to help ease the exchange of health data among healthcare organizations across the nation. But there's one problem: The standard lacks a strong security component.
See Also: Threat Intelligence - Hype or Hope?
That's why federal regulators have launched a competition to devise ways to enhance security for FHIR. The application programming interface is designed to improve interoperability of electronic health records systems.
ONC is inviting interested stakeholders to build secure FHIR servers using current industry standards and best practices, according to a blog by Steve Posnack, director of the office of standards and technology at the Office of the National Coordinator for Health IT. It's offering prizes totaling $50,000.
"Ultimately, the challenge aims to identify unknown security vulnerabilities in the way open source FHIR servers are implemented, and will result in a hardened code base from which all stakeholders can benefit as they deploy FHIR servers in the future," Posnack writes.
FHIR is a standardized way to exchange health information "that's similar to the way we experience using the internet," Posnack explains. FHIR is not a security protocol, nor does it define any security related functionality, he points out, "so it needs to be paired with appropriate security standards when it comes to deploying, for example, a production-grade FHIR server.
"Thankfully, many security standards already exist for web services and can be applied to FHIR," Posnack adds. Those include "the Argonaut Project's Data Query Implementation Guide, being deployed by many health IT developers, [which] points to the SMART APP Authorization Guide for its security layer."
Posnack adds: "Implementing security in health IT is necessary, and some of the specifications are not for the faint-hearted, but it's important that the industry gets as much experience as possible when deploying secure, FHIR servers."
Since it was first released by HL7 in 2014 as a draft standard for trial use, interest in FHIR has been gaining steam in the healthcare sector, especially as regulators have been pushing for advancing interoperability that allows diverse health IT systems and applications to exchange data.
"FHIR is suitable for use in a wide variety of contexts - mobile phone apps, cloud communications, electronic health record-based data sharing, server communication in large institutional healthcare providers, and much more," according to healthcare standards group HL7, which created FHIR.
FHIR is also seen as promising for tackling challenges ranging from providing patients with access to their own data to patient record matching, some experts note (see Patient Data Matching: Privacy Challenges).
Still, the increase in the exchange of health data brings with it more risks.
"With the current environment, where a number of data breaches have caused both reputational and real harm to patients and customers, security is now top of mind for handling of patient data," says Mitch Parker, executive director of information systems at Indiana University Health.
"It needs to be addressed as part of the overall management process for FHIR because any vulnerability which results in a breach of data will [result in] a loss of confidence in interoperability," he says.
Among the security challenges with APIs are issues of "trust" as it relates to identity, notes another security expert, who asked not to be named. Those issues, however, won't necessarily be addressed by the ONC competition, the expert says, adding that a contest might not be an optimal way to engage "qualified engineers" to tackle the problems.
But Parker hopes the ONC competition results in "desired outcomes" that include an "emphasis on the vulnerability management process as part of the management of electronic medical records systems and a more secure standard for interchange of data across disparate EMR systems that improves efficiency and patient care and provides value to both the provider and patient."
ONC says its Secure API Server Showdown Challenge includes two stages.
"In Stage 1, participants will each develop and submit for judging a secured FHIR server. Three winning servers will be chosen to advance to Stage 2, where they will face teams of security-minded people vying to find security vulnerabilities."
At the end of the challenge, the winning servers' source code from Stage 1 must be made publicly and openly available, along with a list of all confirmed security vulnerabilities discovered during Stage 2. "Through this transparent process and outcome, we encourage stakeholders to step up and update the published code to further harden each server's code base," Posnack writes.
What's In FHIR, Anyway?
Security expert Dixie Baker, senior partner at the consultancy Martin, Blanck and Associates and former chair and member of several ONC advisory panels for health IT standards, says it's important to understand that FHIR is "an HL7 interoperability standard that seeks to achieve a simple, consistent means of exchanging healthcare information - resources."
FHIR is built on the concept of simplicity, she says. "All exchangeable content is defined as a 'resource' that is defined and represented in a consistent way, that shares a common set of metadata, and that includes a human-readable part. From a security perspective, simplicity is good, as complexity is the breeding ground for vulnerabilities."
The FHIR specifications identify four mechanisms for exchanging FHIR resources, the most popular of which is through RESTful APIs, she notes. REST, which stands for Representational State Transfer, "is a simple and widely implemented means of exchanging resources over the web," Baker explains. "The security risks inherent in any RESTful exchange need to be addressed when implementing RESTful APIs for exchanging FHIR resources."
Communications links need to be secured using TLS, or transport layer security, she adds. "The identity of exchange entities needs to be authenticated, and the requested access needs to be mediated and authorized. Authentication and authorization over RESTful exchanges most commonly are achieved using the OAuth 2.0 standard," she says.
"Security-relevant actions need to be recorded in an audit trail, and an accounting of disclosures needs to be maintained," Baker notes. A critical component in these exchanges is the OAuth 2.0 authorization server, and the rules it enforces - which need to be carefully defined with respect to the resource holder's security and privacy policies, she explains.
"The ONC announcement seems to recognize what FHIR offers to healthcare exchange and that the primary security vulnerabilities are likely to lie in the OAuth 2.0 authorization server, and not in FHIR," she points out. "As the ONC announcement notes, a discussion of security risks that must be addressed when implementing FHIR exchanges is available on HL7's FHIR site. Most of the risks discussed are not FHIR-specific, but applicable to a broad spectrum of information exchanges."