Security Vulnerabilities in FHIR implementations

Oct 13, 2021

There’s a new report out that finds lots of security vulnerabilities in FHIR implementations, both client and server. This is useful work from Alissa Knight - thanks.

Unforunately, the media write up isn’t entirely accurate:

In fact, every tested FHIR app enabled API access to patient health data belonging to other individuals. And over 60% of the tested apps and APIs had flaws that enabled unauthorized access to data outside of the authorized users’ scope.

In fact, the report explicitly notes that no vulnerabilities were found or are documented in the EHR FHIR implementations themselves. That’s reassuring, and a little more note should be taken about that.

Nevertheless, lots of vulnerabilities were found. All of them are very basic house-keeping stuff well covered in the OWASP top ten risks. All of them are things we’ve talked about in the FHIR project, and agreed that OWASP handles them well, so we don’t need to say anything about them. And indeed, if you’re handling patient data, you need to do this stuff, and get it right.

All the vulnerabilities were found in the aggregated data space. What isn’t clear to me from reading the report is which side of the fence the vulnerabilities were found - were they on the institution side of the fence, where the data is shared by the care provider with the aggregator, and the system is covered by HIPAA and business associate agreements, or is it patient side aggregators, where the patient got the data directly from the provider, and then shared it with a an aggregator?

That makes a real difference, because the second space is only generally covered by FTC, and provider institutions cannot block sharing data with the patient, or make it conditional on patients only sharing it with their approved 3rd party handlers. That means that any security issues in systems that patient shares their data with are not the providers problem. But on the HIPAA side… a big deal.

Nevertheless several people have contacted me concerned that this report will help delay the provision of data to patients because of the catch-all ‘security concerns’, just the way that HIPAA - the **portability **act - is used as a catch all reason to prevent data portability.

I have thought for a while that additional regulation is needed over 3rd party aggregators that get their data from the patient. Viewed in isolation, who cares what they get from the patient? - it’s the patient’s business. But viewed at amazonian scale… they’re suddenly a significant player, and regulation will be needed at many levels to deal with their systemic impact.