ONC challenges industry to build secure FHIR servers
The Office of the National Coordinator for Health Information Technology has announced a challenge to industry to address the potential security vulnerabilities of HL7’s emerging Fast Healthcare Interoperability Resources standard.
Under the Secure API Server Showdown Challenge, ONC is inviting interested stakeholders to build secure FHIR servers using current industry technical standards and best practices as well as recently issued implementation guide requirements.
“FHIR, the standard, in and of itself doesn’t have a security protocol built into it,” says Steve Posnack, director of ONC’s Office of Standards and Technology. As a result, he contends that FHIR “needs to be paired with appropriate security standards when it gets deployed in a production setting in real life.”
According to Posnack, ONC is interested in “who can develop the most secure” production-grade FHIR server by leveraging security standards that already exist for web services.
“Although OpenID and OAuth are appropriate protocols, each must be incorporated into the production server,” says HL7 CEO Chuck Jaffe, MD, who notes that the FHIR specification does not have its own security stack. “These security specifications are more complex than may first be apparent, and each developer is likely to incorporate them somewhat differently. This is certainly true regardless of the level of expertise.”
Posnack acknowledges that implementing these security standards is not for the faint of heart. “These are highly technical protocols that are complicated,” he emphasizes.
The challenge has two stages worth $50,000 in total prizes. In Stage 1, participants will develop secure FHIR servers, with three winning submissions chosen to advance to Stage 2, the vulnerability discovery stage. At the end of Stage 2, the confirmed security vulnerabilities will be made publicly available to encourage the industry to update the open source FHIR servers.
“Ultimately, the challenge aims to identify unknown security vulnerabilities in the way open source FHIR servers are implemented, and will result in a hardened code base from which all stakeholders can benefit as they deploy FHIR servers in the future,” Posnack writes in a blog.
“The challenge will go beyond the security of a FHIR server—certainly, different implementations are likely to yield somewhat different results,” adds Jaffe. “I understand that ONC will evaluate both the efficiency and safety of the security implementation. Finally, the most well-crafted and most secure solutions will serve as reference implementations.”
Micky Tripathi, project manager of the Argonaut Project, an industry-wide effort to accelerate the development and adoption of FHIR, praised ONC’s Secure API Server Showdown Challenge.
“These kinds of challenges are a great way for ONC to use its convening power to leverage a small amount of money to spark real implementers and innovators to tackle practical problems for the benefit of the entire industry,” says Tripathi. “The ONC challenge is valuable because it will further test whether the Argonaut implementation guides have any gaps that haven’t been caught up until now, and it will also test security areas that were outside of the scope of the Argonaut Project.”
According to Tripathi, ONC points to the Argonaut implementation guide and associated Substitutable Medical Apps, Reusable Technology (SMART) on FHIR authorization profile which employs OAuth 2.0, an open security standard for token-based authentication and authorization.
“Though we did an external security review of the profile prior to publication, we can only benefit from having real field testing of implementations to see whether our implementation guide has any undiscovered gaps,” he adds. “More generally, however, the Argonaut work focuses only one aspect of security related to secure authorization. There are other security areas such as end-user authentication, session time-out, security auditing, and accounting of disclosures that were outside the scope of the Argonaut implementation guides but are nevertheless important to general API server security.”