Stream: social
Topic: What? Impossible!
David Pyke (Oct 13 2021 at 19:40):
David Pyke (Oct 13 2021 at 19:40):
"While the report found that the EHR platforms examined in the study had good security in place, third-party clinical data aggregators and mobile apps were a completely different story: with “widely systemic” vulnerabilities that allowed access to EHR data.
The report makes it clear that the vulnerabilities aren’t inherent to FHIR, rather, it’s how the blueprint is implemented as it’s up to the developer. "
John Moehrke (Oct 13 2021 at 20:04):
Everyone should take note. Alissa did this research to make FHIR security better. She did this research by invitation, and in full visibility to those she researched. This was not an attempt to bring down FHIR services and apps, but rather to challenge them to be better. Alissa is very skilled, but so are many others that will follow, and they will be looking to take advantage.
Chris Moesel (Oct 13 2021 at 20:53):
For those who are interested, here is a 45 minute video of the corresponding presentation at DEF CON 29: https://securityboulevard.com/2021/10/def-con-29-biohacking-village-alissa-knights-and-mitch-parkers-playing-with-fhir/
Alissa Knight (Oct 13 2021 at 22:56):
Thanks everyone for posting links to my actual research report here and presentation at Defcon29. Unfortunately, there is some misinformation being spread on this so appreciate the links to what I actually said in my report. :+1:
Last updated: Apr 12 2022 at 19:14 UTC
