We are delighted to be hosting some unique content from our friend and recovering hacker Alissa Knight. This is the third blog in a series about the security risks exposed by the push to adopt FHIR APIs in US healthcare.
In the first blog Alissa talked about what FHIR is and why it's important right now in the US healthcare market. In the second article she covered API authentication and authorization and where the SMART on FHIR initiative fits in.
In this article Alissa outlines where we believe the security challenges could lie in FHIR APIs and how we are testing them. You are also invited to a live webinar which will provide all the details you need to understand the security risks, how to test for vulnerabilities and more importantly secure your SMART on FHIR implementation.
So what tactics and techniques does an attacker use when targeting SMART on FHIR implementations? The main attack surface is the API and the main vehicle is an automated tool or script targeting that API directly. We can identify two main stages of a successful attack - the attack preparation and attack execution. APIs always have vulnerabilities that the attacker will find and exploit.
Attack Preparation - A search for useful information
When preparing for the attack, an attacker:
Acquires user credentials through phishing, spoofing, and data acquired through the dark web. This data is typically gained through data breaches and sold to shady web intermediaries;
Inspects and decompiles the mobile app to extract information that can be used to access the API;
Abuses the device's integrity to acquire information from the app for malicious reasons; and
Tampers with channel integrity (Woman-in-the-Middle) to intercept secrets and gain access to the app's logic.
Attack Execution - Attack staging and information gathering
In this phase, the attacker:
Uses acquired information to construct valid queries and set up automated tools that target the API;
Harvests data from the API using new or commonly known loopholes such as fake application forms, links, and attachments containing malware;
Abuses the FHIR API business logic;
Interferes with the operation of the service to slow down or divert user requests; and
Uses harvested information to tamper with the app and deploy a modified version to divert financial transactions, or steal data.
These are just some of the steps we are taking to test the security of SMART on FHIR implementations with different providers. The vulnerability research campaign into SMART on FHIR APIs is well underway. We have created an API client that pulls from several of the largest EHR platforms via their SMART on FHIR APIs. Three of the largest EHR companies have agreed to participate in this research and have made their FHIR APIs available for testing.