Upgrade to Pro — share decks privately, control downloads, hide ads and more …

APIsecure 2023 - All #FHIRed Up, John Moehrke

apidays
PRO
March 21, 2023
Programming
0
60

APIsecure 2023 - All #FHIRed Up, John Moehrke

APIsecure 2023 - The world's first and only API security conference
March 14 & 15, 2023

All #FHIRed Up
John Moehrke, Co-Chair, Security Working Group at Health Level 7 International (HL7)

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

March 21, 2023
Tweet

More Decks by apidays

See All by apidays
apidays Australia 2023 - A programmatic approach to API success including OpenAPI, Paul Bradley, Excelsa
apidays
PRO
0
23
apidays Singapore 2023 - Securing and protecting our digital way of life, Veronica Tan, Cyber Security Agency of Singapore
apidays
PRO
0
23
apidays Singapore 2023 - State of the API Industry, Manjunath Bhat, Gartner
apidays
PRO
0
59
apidays Singapore 2023 - Beyond REST, Claudio Tag, IBM
apidays
PRO
0
24
apidays Singapore 2023 - Connecting the trade ecosystem, CHOO Wai Yee, Singapore Customs
apidays
PRO
0
17
apidays Singapore 2023 - Business resilience: keeping a finger on the pulse and digitizing for productivity, Jene Lim, Experian Asia Pacific
apidays
PRO
0
28
apidays Singapore 2023 - Changing the culture of building software, Aman Dhamija, Goldman Sachs & Green Software Foundation
apidays
PRO
0
25
apidays Singapore 2023 - Building a digital-first investment management model, Scott Treloar, Noviscient
apidays
PRO
0
14
apidays Singapore 2023 - Digitalising agreements with data, design & technology, Charlie Loo, DocuSign
apidays
PRO
1
18

Other Decks in Programming

See All in Programming
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
530
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
940
Milestoner
bkuhlmann
1
410
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
260
エンターテイメント業界で利用されるAWS
demuyan
0
210
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
8
4k
GitHub Copilotのススメ
marcy731
1
190
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
120
Code Reviews
bkuhlmann
4
890
Rubyでたのしむクリエイティブコーディング/Enjoy Creative coding with Ruby
chobishiba
1
180
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
260
Ruby Pattern Matching
bkuhlmann
0
920

Featured

See All Featured
A Philosophy of Restraint
colly
197
16k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Happy Clients
brianwarren
92
6.4k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
GraphQLとの向き合い方2022年版
quramy
32
12k
Design by the Numbers
sachag
274
18k
VelocityConf: Rendering Performance Case Studies
addyosmani
320
23k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Agile that works and the tools we love
rasmusluckow
325
20k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
60
14k
Clear Off the Table
cherdarchuk
84
310k

Transcript

  1. FHIR up the CyberSecurity Community John Moehrke (ByLight) Co-Chair: HL7

    Security Workgroup Co-Chair: IHE ITI Planning Committee https://healthcaresecprivacy.blogspot.com/

  2. Background - Healthcare newest Interop API definition - Please don’t

    hack without an invite. - Use all the tools and skills mentioned by everyone else - I will be focusing on additional factors when you know the FHIR API Keynote: Katie Paxton-Fear → read the API documentation

  3. FHIR – https://fhir.hl7.org FHIR –Fast Health Interoperability Resources - But

    realistically “FHIR” has taken on an identity beyond being an acronym - Pronounced “Fire” – leading to many puns - Initially focused on delivery of Health Care medical treatment – Health IT. - Expanded to Healthcare support roles: Provider Directory, Healthcare Billing, etc - Primarily a RESTful model available in JSON and XML … - “Standard API”, but not a “standard implementation” - Many open-source implementations of clients and servers (HAPI is the reference)

  4. FHIR Core - enabled for security/privacy • FHIR https://fhir.hl7.org •

    Based on platform of https, RESTful, json/xml, and oAuth • Well formed resources with profiling structure validator ◦ Data input can be validated to structure • TestScript resource for automated testing specification • Implementation guides and reference implementations • Not just for Patient Treatment purposes ◦ Security/Privacy Category: Patient, Individual, Business, Anonymous, Other ◦ Practitioner / Organization directory ◦ Vocabulary … but NOT secure or privacy protecting without Implementation

  5. FHIR Core - enabled for security/privacy • All resources have

    well-placed security tags - .meta.security • FHIR has compartments designed-in ◦ Structured/coded data are more deterministic vs free-text • FHIR has structured datatypes to hold verifiable digital signatures • FHIR has Consent resource to support consent, dissent, and conditions • Break-Glass - a mitigation to risks to Availability when patient safety risk • Also FHIR Provenance and AuditEvent to aid with transparency • FHIR Signature datatype. Not well matured yet. • Permission resource under development … but NOT secure or privacy protecting without Implementation

  6. Health IT market - FHIR as a standards based API

    specification – https://fhir.hl7.org - Safety - corruption can cause health harm or death - Privacy - exposure can’t be ‘revoked’ - Growing with many new software / app entrants - Not as careful regarding Privacy or Safety - Mature vendors are much better and have long standing process - Many open-source reference servers and clients - Many sandboxes available for testing Please be ethical, don’t knock without permission.

  7. Finding FHIR servers - Metadata endpoint -> CapabilityStatement -> ‘defined’

    supported API - http://hl7.org/fhir/http.html# capabilities - Tells you what “is” supported - Most servers do NOT implement everything in the FHIR standard …

  8. oAuth is common - oAuth protection … most of the

    time - Profiled use-cases and scope pattern - SMART App Launch - http://hl7.org/fhir/smart-app-launch - Clinician (user) vs Patient vs System - Often based on OpenID-Connect - Often app is authenticated with client id / password - Trending toward certificate backed application registration - CORS is commonly enabled - Biggest historic opportunity – where most things go wrong today …

  9. FHIR Specification opportunities - http RESTful CRUD - Some search

    parameters are more powerful - _include and _revinclude - automatic navigation to other - _summary, _history – are they as well protected - _total – side channel leakage - _query, _filter - complexity of search - paging - less than full page, next encoding - patient/subject - navigate to other patient - .id - abuse - html text - elements should be constrained html - Datatypes - abuse - Write over read-only

  10. And there is more - GraphQL – http://hl7.org/fhir/graphql.html - Bulk

    Data Access - https://hl7.org/fhir/uv/bulkdata/ - Operations - http://hl7.org/fhir/operations.html

  11. Test for overall Privacy Principles Health IT is very Privacy

    sensitive - Not keeping to posted Privacy Principles - Not keeping to agreed Privacy Consent - Not tracking access, use, and disclosure - Patient should be able to see when their data are used - Not regularly finding audit log evidence of inappropriate access - Real-time detection of abuse - Maintaining data beyond appropriate data lifecycle

  12. 12 Questions? John Moehrke Consultant with By Light Gmail JohnMoehrke

    @[email protected] healthcaresecprivacy.blogspot.com