Finding, Fighting FHIR App Vulns


EHR’s Leaky “Last Mile” of Third-Party Apps Exposes Patient Data. Approov Sends FHIR Guard to the Rescue.

New findings from Approov and cybersecurity researcher Alissa Knight with Knight Media expose “Last Mile” electronic health record (EHR) security issues in healthcare apps that leave millions of patient healthcare records exposed.

The research published in “Playing with FHIR – Hacking and Security FHIR APIs” examined three production FHIR APIs serving an ecosystem of 48 apps and APIs. The ecosystem covered aggregated EHR data from 25,000 providers and payers. Among key facts and findings:

  • 4m patient and clinician records could be accessed from 1 single patient login account
  • 53% of mobile apps tested had hardcoded API keys and tokens which could be used to attack EHR APIs
  • 100% of FHIR APIs tested allowed API access to other patient’s health data using one patient’s credentials
  • 50% of clinical data aggregators did not implement database segmentation allowing access to patient records belonging to other apps developed on their platform for other providers
  • 100 percent of the mobile apps tested did not prevent person-in-the-middle attacks, enabling hackers to harvest credentials and steal or manipulate confidential patient data

The College of Healthcare Information Management Executives (CHIME) Policy Steering Committee Co-Chair Scott MacLean said in a recent press release said (in part), “Patient data safety is crucial for maintaining trust in the patient-provider relationship, and ensuring that patients’ data remains safe even when they are outside of the four walls of the hospital only helps strengthen that bond.

The report’s three recommendations to address these major “last mile” security gaps are:

  • Secure Authorization: App developers and EHR aggregators must follow best practices as custodians of patient data – including implementing authorization scopes, app attestation, secure channels, and pentesting.
  • Block Non-Compliant Apps’ Access to Sensitive Data: Healthcare and EHR providers should carefully monitor EHR access through FHIR APIs and develop enforceable certification programs for EHR data aggregators and app developers, and must also be prepared to apply the Security Exception to the Cures Information Blocking Mandate to players who do not comply with security best practices.
  • Chain of Custody: The ONC should require EHR access through FHIR APIs be fully secure at every step from the EHR provider to the patient or any other EHR consumer, and establish and enforce this chain of custody through legal and financial accountability.

Approov FHIR Guard App Shielding

Approov also rolled out Approov FHIR Guard, a new API security as a service offering to shield EHR vendors’ and aggregators’ FHIR APIs. FHIR Guard helps FHIR API providers drive “downstream” partners to take steps to cut the risks of “last mile” healthcare mobile app security issues.

FHIR Guard puts in place controls in the API endpoint to help protect the API. App owners who choose to integrate Approov will pay per use for the service. Approov prevents bots, scripts, and compromised apps from:

  • using stolen user identity credentials
  • exploiting vulnerabilities in APIs
  • malicious manipulation of the business logic of the APIs
  • executing Man-in-the-Middle attacks
  • complimentary API security solution for “last mile” security

An effective kill chain in the targeting of the healthcare industry will not be one targeting the EHR systems running in the provider’s network, but targeting the third-party FHIR aggregators and third-party apps which access these EHR APIs. It is alarming how sensitive patient data moves from higher security levels to third-party aggregators where security has been found to be flagrantly lacking,” said researcher Alissa Knight.

David Stewart, CEO, Approov, Inc., said: “Healthcare organizations and regulators who handle and oversee this sensitive data must give equal attention to security enforcement as they do to empowering citizens to take control of their patient data. With this research we don’t just want to raise a red flag. The introduction of FHIR Guard is a genuine effort by Approov to contribute positively towards improving the situation today, ahead of regulations which will surely follow in time.

Stewart and Knight will conduct the webinar “Playing with FHIR: Hacking and Securing FHIR APIs” on October 28th at 12pm EST, on the report’s findings. Click here for more information.


Follow Brilliance Security Magazine on Twitter, Facebook, and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.