1upHealth wins Stage 2 of ONC Secure API Server Showdown Challenge
Agency picks start-up for finding security vulnerabilities and hacking into an FHIR server, says Gajen Sunthara.
Boston-based 1upHealth is the Stage 2 winner of the Office of the National Coordinator for Health IT’s Secure API Server Showdown Challenge, designed to address the potential security vulnerabilities of servers using HL7’s emerging Fast Healthcare Interoperability Resources (FHIR) standard.
In Stage 1 of ONC’s challenge, technology and analytics firm Asymmetrik developed an open source FHIR server based on current industry technical standards, best practices, and recently issued healthcare-specific technical requirements for security.
However, in Stage 2, 1upHealth hacked into Asymmetrik’s FHIR server to find security vulnerabilities that a malicious hacker could potentially exploit and to identify ways to strengthen the server while improving the overall security.
“Stage 2 was all about how to figure out how to lock down the FHIR server,” says Gajen Sunthara, co-founder of 1upHealth, who notes that his company has developed its own secure FHIR API server. “We found vulnerabilities in Asymmetrik’s FHIR server, and that’s how we won this challenge.”
Sunthara adds that the purpose of such “ethical” hacking is to uncover previously unknown system vulnerabilities—a practice that the Department of Defense has successfully instituted with similar hackathon events.
Also See: Fed agencies look to encourage use of ethical hacking in healthcare
According to 1upHealth, all the vulnerabilities discovered in the FHIR server’s code specifically involved the OAuth2 (authorization framework) implementation.
“Developers should not build their own OAuth2 implementation,” warned 1upHealth on their website. “Use something open source or an API gateway off the shelf. Those solutions have been battle tested by thousands of people. The FHIR server logic is only a small part of the full security model. Most of the security should be in the first layer, which doles out keys to access data like the OAuth2 implementation.”
The source code 1upHealth used to hack into Asymmetrik’s FHIR server has been posted on GitHub for public use.
“As a result of this challenge, a unique open-source FHIR implementation using JavaScript, Node.js and MongoDB is now available for industry developers to build upon,” according to ONC. “This implementation meets the security technical requirements as specified in the Argonaut Data Query Implementation Guide Version 1.0.0.”
In March, 1upHealth was also announced as a Phase 2 winner in ONC’s Health Data Provenance Challenge. Data provenance provides the ability to trace and verify when and who created information, how it has been used or moved among different data sources, and how it has been modified throughout its lifecycle as it has been exchanged.
ONC issued that challenge to industry to promote the use of data provenance by health IT systems in an effort to help identify erroneous information while improving data accuracy and ultimately patient safety. 1upHealth’s winning solution leveraged FHIR and blockchain technology.
In Stage 1 of ONC’s challenge, technology and analytics firm Asymmetrik developed an open source FHIR server based on current industry technical standards, best practices, and recently issued healthcare-specific technical requirements for security.
However, in Stage 2, 1upHealth hacked into Asymmetrik’s FHIR server to find security vulnerabilities that a malicious hacker could potentially exploit and to identify ways to strengthen the server while improving the overall security.
“Stage 2 was all about how to figure out how to lock down the FHIR server,” says Gajen Sunthara, co-founder of 1upHealth, who notes that his company has developed its own secure FHIR API server. “We found vulnerabilities in Asymmetrik’s FHIR server, and that’s how we won this challenge.”
Sunthara adds that the purpose of such “ethical” hacking is to uncover previously unknown system vulnerabilities—a practice that the Department of Defense has successfully instituted with similar hackathon events.
Also See: Fed agencies look to encourage use of ethical hacking in healthcareAccording to 1upHealth, all the vulnerabilities discovered in the FHIR server’s code specifically involved the OAuth2 (authorization framework) implementation.
“Developers should not build their own OAuth2 implementation,” warned 1upHealth on their website. “Use something open source or an API gateway off the shelf. Those solutions have been battle tested by thousands of people. The FHIR server logic is only a small part of the full security model. Most of the security should be in the first layer, which doles out keys to access data like the OAuth2 implementation.”
The source code 1upHealth used to hack into Asymmetrik’s FHIR server has been posted on GitHub for public use.
“As a result of this challenge, a unique open-source FHIR implementation using JavaScript, Node.js and MongoDB is now available for industry developers to build upon,” according to ONC. “This implementation meets the security technical requirements as specified in the Argonaut Data Query Implementation Guide Version 1.0.0.”
In March, 1upHealth was also announced as a Phase 2 winner in ONC’s Health Data Provenance Challenge. Data provenance provides the ability to trace and verify when and who created information, how it has been used or moved among different data sources, and how it has been modified throughout its lifecycle as it has been exchanged.
ONC issued that challenge to industry to promote the use of data provenance by health IT systems in an effort to help identify erroneous information while improving data accuracy and ultimately patient safety. 1upHealth’s winning solution leveraged FHIR and blockchain technology.
More for you
Loading data for hdm_tax_topic #better-outcomes...