Research Shows FHIR APIs Have Critical Flaws

As seen on The IT Nerd.

New research from Alissa Knight of Knight Ink shows critical flaws found in FHIR APIs which makes them vulnerable to abuse. In the report, Knight examined three FHIR APIs across an app ecosystem of 48 FHIR apps and APIs and aggregated her data from more than 25,000 health care providers and payers. Key findings show:

• Three production FHIR APIs serving an ecosystem of 48 apps and APIs were tested
• The ecosystem covered aggregated EHR data from 25,000 providers and payers
• 4m patient and clinician records could be accessed from 1 single patient login account
• 53% of mobile apps tested had hardcoded API keys and tokens which could be used to attack EHR APIs
• 100% of FHIR APIs tested allowed API access to other patient’s health data using one patient’s credentials.
• 50% of clinical data aggregators did not implement database segmentation allowing access to patient records belonging to other apps developed on their platform for other providers.
• 100 percent of the mobile apps tested did not prevent person-in-the-middle attacks, enabling hackers to harvest credentials and steal or manipulate confidential patient data.

That’s not trivial. And Giora Engel, CEO and Co-founder, Neosec agrees:

“The regulatory requirements to expose healthcare data for patient access and payer interoperability forced a fast pace of digital transformation in many healthcare systems. Part of that transformation exposes inherent security risks. “

“The main problems that we see today are:

1. 1. No API inventory creates a blind spot for the security team. APIs that are not known to the security team can’t be reviewed and protected. 
   2. Implementation errors and misconfigurations
   3. Abuse of APIs – by authorized users or clients 

Visibility into the API footprint and behavior is an essential part of the digital transformation. “