Playing with FHIR: Hacking and Securing FHIR API Implementations

Key Takeaways

The introduction of apps and data aggregators built on top of hospital networks poses a new security risk for EHR data. Adversaries can now target these aggregators where EHR data is extracted and stored, making it easier to access patient records. While FHIR is a necessary step for data sharing, its implementation is often insecure. Companies integrating FHIR are not following security best practices, such as applying scopes to tokens to restrict access to patient records.

Application developers and aggregators are handling vast amounts of patient records, but misconfigurations and poor security implementations create vulnerabilities. Third-party app developers and aggregators should prioritize security from the start and during deployment. 

To enhance security, tools can be used to obfuscate mobile app code to prevent reverse engineering, and API security solutions should be used to block synthetic traffic from tools or bots.

3 Actions for Mobile Healthcare Companies

1. Certificate pin your API connections

   None of the mobile applications included in the FHIR security research made use of certificate pinning; a security measure to protect against Man-in-the-Middle attacks. Certificate pinning ensures that mobile apps only communicate with servers that have a valid certificate matching a specified "expected" value. Implementing and managing certificate pinning is not necessarily complex and provides significant advantages in securing data and API traffic against interception.
   
   

2. Shield your APIs

   60% of the FHIR APIs tested were found to have vulnerabilities. Identifying and rectifying API vulnerabilities is an ongoing and continuous process. However, it is crucial to establish a straightforward yet effective API shielding solution as a primary step to prevent potential attackers from exploiting the inevitable vulnerabilities that may persist in your APIs.
   
   

3. Obfuscate/harden your mobile app code

   53% of the mobile applications subjected to FHIR security research were found to contain hard-coded API keys and tokens. It's essential to guarantee that the API key alone is insufficient for gaining access to backend resources. Implementing a second factor through app authentication, akin to the two-factor authentication commonly adopted for users, is a necessary measure to prevent abuse of the API.

Approov Mobile Security

Approov provides a patented cloud-based run-time shielding solution which is easy to deploy and protects your APIs and the channel between your mobile apps and APIs from any automated attack. Get your copy of the full report to learn more.