FHIR Chat · Security vulnerabilities · social

Stream: social

Topic: Security vulnerabilities

view this post on Zulip Ward Weistra (May 01 2019 at 16:46):

Where would someone go with a possible observation on security vulnerabilities? Someone on Twitter is wondering: https://twitter.com/Klose7/status/1123604634671534081
Maybe https://www.hl7.org/fhir/security.html could have a suggestion on that.

view this post on Zulip Lloyd McKenzie (May 01 2019 at 16:54):

Submit a change request is probably best - http://gforge.hl7.org/gf/project/fhir/tracker/?action=TrackerItemAdd&tracker_id=677

view this post on Zulip John Moehrke (May 01 2019 at 17:13):

It very much depends on what software has the vulnerability. One would need to report to the owner of that software. It matters not that the softwae has implemented FHIR.

view this post on Zulip John Moehrke (May 01 2019 at 17:16):

Unless the question is about a 'best practice'... such as the CapabilityStatement published by the software has a CapabilityStatement.contact that would indicate who should be notified when a vulnerability is found in that software. This kind of a recommendation could be added to the security page as an FAQ.

view this post on Zulip Josh Mandel (May 02 2019 at 03:08):

I pushed on HL7 to define a vuln reporting process a few years back (https://smarthealthit.org/2014/04/ehr-security-vulnerability-reporting/ and this story leading up to it)

view this post on Zulip Josh Mandel (May 02 2019 at 03:09):

Though I don't remember where it landed and http://www.hl7.org/search/index.cfm?q=report%20security%20vulnerability doesn't illuminate.

view this post on Zulip Ward Weistra (May 02 2019 at 06:55):

I see John has already taken it up on Twitter. Thanks for the replies!

view this post on Zulip John Moehrke (May 02 2019 at 13:22):

But do you think I hit the point? I am concerned that there is a point I may be missing, as security is a very broad topic

view this post on Zulip John Moehrke (May 02 2019 at 13:24):

I pushed on HL7 to define a vuln reporting process a few years back (https://smarthealthit.org/2014/04/ehr-security-vulnerability-reporting/ and this story leading up to it)

@Josh Mandel do you think my recommendation is a solution? That is to use the FHIR CapabilityStatement.contact as a method of knowing to whom a vulnerability should be reported? The other centralized alternative is through CVE, but that is considered something one should do after giving the owner/vendor time to react.

view this post on Zulip Josh Mandel (May 02 2019 at 13:34):

For a given FHIR server, having some contact seems fine, and definitely a great start -- it might be good to have a specific annotation as a security contact, and/or a reporting link. https://www.microsoft.com/en-us/msrc/faqs-report-an-issue is a good example showing a link to a form, and also best practices like a PGP key for encrypting reports if/when desired.

view this post on Zulip John Moehrke (May 02 2019 at 14:03):

YES, that would be good addition... In addition to a mention on the security pages...

view this post on Zulip Jenni Syed (May 02 2019 at 14:15):

Since HL7 now publishes the SMART standard, it's also possible they're talking about something in there

view this post on Zulip Jenni Syed (May 02 2019 at 14:15):

will be interested to see what the response is

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -