Upon first login after March 31, 2024, all Infoway Account users will be required to reconfirm acceptance of the Terms of Use and License Agreements. Learn More >

Share this page:

file Statement to the Global Community from HL7 International on the Paper "Playing with FHIR: Hacking and Securing FHIR APIs"

  • Posts: 262
2 years 4 months ago #7272 by Joanie Harper
Dear HL7 Community,

This came to my inbox this week and I thought it would be relevant to the FHIR Implementations Community.

On October 13, a white paper authored by Alissa Knight of Knight Ink, LLC was posted on Twitter . The author is considered to be a cybersecurity expert in penetration testing of APIs and applications.

The white paper, which we encourage everyone to read, can be downloaded at approov.io/for/playing-with-fhir/ and represents a continuation of a project that previously pointed out vulnerabilities in mHealth and telemedicine in the United States, a topic which should concern us all.

The white paper’s eye-catching title, “Playing with FHIR: Hacking and Securing FHIR APIs”, has led some casual readers to infer that FHIR and FHIR APIs are being faulted. With considerable diligence, the author painstakingly makes clear in the opening paragraphs and throughout that no vulnerabilities were found in the HL7 FHIR standard itself nor were any found in FHIR-based APIs from the EHRs that she tested.

Instead, the author explains that the vulnerabilities lie with the implementation of apps and by third-party FHIR aggregators. Recognizing that the title of the paper was being misinterpreted, she has since changed it to "Playing with FHIR: Hacking and Securing FHIR API Implementations.”

As such, the report makes a strong case for the new HL7 Standards Implementation Division, which is being created specifically to address concerns like these, as well as providing testing capabilities, reference servers and other resources for implementers.

As Alissa notes in her paper, “the weakest link in the security of FHIR API implementations is the last mile between the user and clinical data aggregators.”

In the coming weeks HL7 will be issuing additional statements regarding the findings of this white paper, the concerns it raises, and what can be done to implement safe and secure FHIR APIs.

For further information, please contact Wayne Kubick, HL7 International CTO.

Please Log in or Create an account to join the conversation.

InfoCentral logo

Improving the quality of patient care through the effective sharing of clinical information among health care organizations, clinicians and their patients.