Faites-nous part de vos impressions sur le Serveur terminologique, et aidez-nous à améliorer nos services! Vous avez jusqu’au 3 décembre 2024 pour répondre au sondage. Votre avis nous intéresse! En savoir plus >

Partager :

file Statement to the Global Community from HL7 International on the Paper "Playing with FHIR: Hacking and Securing FHIR APIs"

  • Messages : 267
il y a 3 ans 3 semaines #7271 par Joanie Harper
Dear HL7 Community,

This came to my inbox this week and I thought it would be relevant to the HL7 Canada Community.

On October 13, a white paper authored by Alissa Knight of Knight Ink, LLC was posted on Twitter . The author is considered to be a cybersecurity expert in penetration testing of APIs and applications.

The white paper, which we encourage everyone to read, can be downloaded at approov.io/for/playing-with-fhir/ and represents a continuation of a project that previously pointed out vulnerabilities in mHealth and telemedicine in the United States, a topic which should concern us all.

The white paper’s eye-catching title, “Playing with FHIR: Hacking and Securing FHIR APIs”, has led some casual readers to infer that FHIR and FHIR APIs are being faulted. With considerable diligence, the author painstakingly makes clear in the opening paragraphs and throughout that no vulnerabilities were found in the HL7 FHIR standard itself nor were any found in FHIR-based APIs from the EHRs that she tested.

Instead, the author explains that the vulnerabilities lie with the implementation of apps and by third-party FHIR aggregators. Recognizing that the title of the paper was being misinterpreted, she has since changed it to "Playing with FHIR: Hacking and Securing FHIR API Implementations.”

As such, the report makes a strong case for the new HL7 Standards Implementation Division, which is being created specifically to address concerns like these, as well as providing testing capabilities, reference servers and other resources for implementers.

As Alissa notes in her paper, “the weakest link in the security of FHIR API implementations is the last mile between the user and clinical data aggregators.”

In the coming weeks HL7 will be issuing additional statements regarding the findings of this white paper, the concerns it raises, and what can be done to implement safe and secure FHIR APIs.

For further information, please contact Wayne Kubick, HL7 International CTO.

Connexion ou Créer un compte pour participer à la conversation.

Logo d'InfoCentral

La santé numérique à votre service

 

Transformer les soins de santé au Canada grâce aux technologies de l'information sur la santé.