Healthcare’s EHRs “Last Mile” Open to Attack, Leave PHI ExposedOctober 14, 2021 No Comments
By Peter Kelley
Approov FHIR Guard Helps EHR Vendors Protect Healthcare’s “Last Mile” from Third Party App Vulns.
App API security specialists with Approov issued new research on third party healthcare app vulnerabilities that are putting millions of patient healthcare records at risk.
“Playing with FHIR – Hacking and Security FHIR APIs” details researcher Alissa Knight’s examination of three production FHIR APIs serving an ecosystem of 48 apps and APIs. The ecosystem covered aggregated EHR data from 25,000 providers and payers.
All apps tested used the Fast Healthcare Interoperability Resources (FHIR) standard for describing data formats and elements. One hundred percent of APIs tested allowed API access to other patient’s health data via a single patient’s credentials.
More than half of the mobile apps tested had hardcoded API keys and tokens which could be used to attack EHR APIs.
The problem extends beyond the third party apps themselves. Fifty percent of clinical data aggregators did not implement database segmentation, allowing cross-app access to patient records belonging to other apps developed on their platform for other providers.
None of the mobile apps tested prevented person-in-the-middle attacks, which allow attackers to harvest credentials and steal or manipulate confidential patient data.
The College of Healthcare Information Management Executives (CHIME) Policy Steering Committee Co-Chair Scott MacLean said in a recent press release said (in part), “Patient data safety is crucial for maintaining trust in the patient-provider relationship, and ensuring that patients’ data remains safe even when they are outside of the four walls of the hospital only helps strengthen that bond.”
The report urges EHR vendors and aggregate take direct steps to address third party security gaps, including:
- Securing Authorization: App developers and EHR aggregators must follow best practices as custodians of patient data – including implementing authorization scopes, app attestation, secure channels, and pentesting.
- Blocking Non-Compliant Apps’ Access to Sensitive Data: Healthcare and EHR providers should carefully monitor EHR access through FHIR APIs and develop enforceable certification programs for EHR data aggregators and app developers, and must also be prepared to apply the Security Exception to the Cures Information Blocking Mandate to players who do not comply with security best practices.
- Securing the Chain of Custody: The ONC should require EHR access through FHIR APIs be fully secure at every step from the EHR provider to the patient or any other EHR consumer, and establish and enforce this chain of custody through legal and financial accountability.
“An effective kill chain in the targeting of the healthcare industry will not be one targeting the EHR systems running in the provider’s network, but targeting the third-party FHIR aggregators and third-party apps which access these EHR APIs. It is alarming how sensitive patient data moves from higher security levels to third-party aggregators where security has been found to be flagrantly lacking,” said researcher Alissa Knight.
FHIR Guard App Shielding
To address the vulnerabilities disclosed in the study, Approov introduced the FHIR Guard API security as a service (SAAS) offering to help EHR vendors and aggregators shield FHIR APIs. The service helps FHIR API providers encourage “downstream” partners to reduce “last mile” healthcare mobile app security issues and risks.
Approov prevents bots, scripts and compromised apps from:
- using stolen user identity credentials
- exploiting vulnerabilities in APIs
- malicious manipulation of the business logic of the APIs
- executing Man-in-the-Middle attacks
- complimentary API security solution for “last mile” security
David Stewart, CEO, Approov, Inc., said: “Healthcare organizations and regulators who handle and oversee this sensitive data must give equal attention to security enforcement as they do to empowering citizens to take control of their patient data. With this research we don’t just want to raise a red flag. The introduction of FHIR Guard is a genuine effort by Approov to contribute positively towards improving the situation today, ahead of regulations which will surely follow in time.”
Findings will be reviewed in the upcoming webinar “Playing with FHIR: Hacking and Securing FHIR APIs” on October 28th at 12pm EST.