Stream: Announcements
Topic: Security Report published
Grahame Grieve (Oct 13 2021 at 22:04):
There's a new security report about FHIR API & App security problems in USA based data aggregator systems. Media write up: https://www.scmagazine.com/analysis/application-security/critical-flaws-found-in-interoperability-backbone-fhir-apis-vulnerable-to-abuse (not entirely accurate). Actual report: https://approov.io/for/playing-with-fhir/
Nothing found is inherent to FHIR, and it's all basic housekeeping stuff, found on the OWASP top ten list. It's not clear from the base report but at least some of the systems are subject to HIPAA, though perhaps some aren't.
I'm sure that the devs for these aggregator systems are on this forum. If it's you: clean up your house ASAP. Alissa is a white hat hacker but the black hats are coming after you today. You might consider taking your service down while you get on top of this.
Note: Congratulations to the base EHR systems, none of whom featured in this report (and not because they weren't of interest)
Grahame Grieve (Oct 13 2021 at 22:07):
follow up here: https://chat.fhir.org/#narrow/stream/179247-Security-and.20Privacy/topic/WITM
David Hay (Oct 14 2021 at 16:40):
Note that the report won't be sent to a gmail email address - don't know why that would be. :(
Please enter your business email address. This form does not accept addresses from gmail.com.
Please change your email address to continue.
Last updated: Apr 12 2022 at 19:14 UTC
