News

Research Shows FHIR APIs Have Critical Flaws

As seen on The IT Nerd.

New research from Alissa Knight of Knight Ink shows critical flaws found in FHIR APIs which makes them vulnerable to abuse. In the report, Knight examined three FHIR APIs across an app ecosystem of 48 FHIR apps and APIs and aggregated her data from more than 25,000 health care providers and payers. Key findings show:

  • Three production FHIR APIs serving an ecosystem of 48 apps and APIs were tested
  • The ecosystem covered aggregated EHR data from 25,000 providers and payers
  • 4m patient and clinician records could be accessed from 1 single patient login account
  • 53% of mobile apps tested had hardcoded API keys and tokens which could be used to attack EHR APIs
  • 100% of FHIR APIs tested allowed API access to other patient’s health data using one patient’s credentials.
  • 50% of clinical data aggregators did not implement database segmentation allowing access to patient records belonging to other apps developed on their platform for other providers.
  • 100 percent of the mobile apps tested did not prevent person-in-the-middle attacks, enabling hackers to harvest credentials and steal or manipulate confidential patient data.

That’s not trivial. And Giora Engel, CEO and Co-founder, Neosec agrees:

“The regulatory requirements to expose healthcare data for patient access and payer interoperability forced a fast pace of digital transformation in many healthcare systems. Part of that transformation exposes inherent security risks. “

“The main problems that we see today are:

    1. No API inventory creates a blind spot for the security team. APIs that are not known to the security team can’t be reviewed and protected. 
    2. Implementation errors and misconfigurations
    3. Abuse of APIs – by authorized users or clients 

Visibility into the API footprint and behavior is an essential part of the digital transformation. “

About Neosec

Neosec is reinventing application security with a powerful platform that unifies security and development teams to protect modern applications from threats. The foundation of the SaaS platform is built on data and analytics to manage security at scale. Neosec prevents threats from abusing the complex network of APIs that connect today's businesses. The platform helps organizations discover every API and audit risk. Neosec has pioneered the use of behavioral analytics to understand normal versus abnormal API usage and delivers powerful threat hunting capabilities. Neosec prevents threats and stops abuse hiding within APIs and brings new intelligence to application security. Neosec is based in Palo Alto, California with R&D in Tel Aviv, Israel. To learn more, visit Neosec.com.

news-cta-img

Test Drive the Neosec API Security Solution

One cloud-native platform, fully deployed in minutes, to protect your APIs.

Start Now