We're Hiring!

Guest Blog: Alissa Knight on ‘Playing with FHIR’

Graceful red haired female fire show performer

We are delighted to be hosting some unique content from our friend and recovering hacker Alissa Knight. This is the third blog in a series about the security risks exposed by the push to adopt FHIR APIs in US healthcare.

In the first blog Alissa talked about what FHIR is and why it's important right now in the US healthcare market. In the second article she covered API authentication and authorization and where the SMART on FHIR initiative fits in.

In this article Alissa outlines where we believe the security challenges could lie in FHIR APIs and how we are testing them. You are also invited to a live webinar which will provide all the details you need to understand the security risks, how to test for vulnerabilities and more importantly secure your SMART on FHIR implementation.  

So what tactics and techniques does an attacker use when targeting SMART on FHIR implementations? The main attack surface is the API and the main vehicle is an automated tool or script targeting that API directly. We can identify two main stages of a successful attack - the attack preparation and attack execution. APIs always have vulnerabilities that the attacker will find and exploit.

Attack Preparation - A search for useful information

When preparing for the attack, an attacker:

  1. Acquires user credentials through phishing, spoofing, and data acquired through the dark web. This data is typically gained through data breaches and sold to shady web intermediaries;

  2. Inspects and decompiles the mobile app to extract information that can be used to access the API;

  3. Abuses the device's integrity to acquire information from the app for malicious reasons; and

  4. Tampers with channel integrity (Woman-in-the-Middle) to intercept secrets and gain access to the app's logic.

Attack Execution - Attack staging and information gathering

In this phase, the attacker:

  1. Uses acquired information to construct valid queries and set up automated tools that target the API;

  2. Harvests data from the API using new or commonly known loopholes such as fake application forms, links, and attachments containing malware;

  3. Abuses the FHIR API business logic;

  4. Interferes with the operation of the service to slow down or divert user requests; and

  5. Uses harvested information to tamper with the app and deploy a modified version to divert financial transactions, or steal data.

These are just some of the steps we are taking to test the security of SMART on FHIR implementations with different providers. The vulnerability research campaign into SMART on FHIR APIs is well underway. We have created an API client that pulls from several of the largest EHR platforms via their SMART on FHIR APIs. Three of the largest EHR companies have agreed to participate in this research and have made their FHIR APIs available for testing.

Please join our Live Webinar: Hacking SMART on FHIR Apps and APIs on June 17th and we will tell you all you need to know about the tactics and techniques being used in this final phase of research as well as show you the cyber range we have created for this exercise.

You will learn:

-  SMART on FHIR and where there could be potential security issues;

-  The way an attacker thinks about exploiting the mobile app /API channel;

-  The cyber range that has been created to connect mobile apps to these public EHR systems through their FHIR APIs;

-  The tactics, techniques, and tools being used to execute API breaches; and

-  Some best practices for penetration testing of your SMART on FHIR implementations.

Register here.

David Stewart

- Advisor at Approov / Former CEO of Approov
30+ years experience in security products, embedded software tools, design services, design automation tools, chip design.