Collaborative Advancements and Opportunities Post APIsecure 2023
By Keith Carlson, ONC
X: @ONC_HealthIT
With Health Level Seven (HL7®) Fast Healthcare Interoperability Resources (FHIR®) application programming interfaces (APIs) now widely available across the United States, health IT developers and application developers should keep up-to-date on API security work and practice good API security hygiene when implementing applications and tools that leverage FHIR APIs.
The health IT community passed a major milestone on December 31, 2022, when more than 95 percent of certified Health IT developers met the compliance deadline to update and provide their customers with new technology. This included requirements to enable access to information through FHIR APIs.
ONC Certification Program support for client authentication
In March 2023, API security professionals from around the world gathered virtually for the 2023 APIsecure conference for two days of wall-to-wall presentations on modern hacking and defense of APIs. Cybersecurity experts, researchers, and senior API leaders described lessons learned and strategies from other industries that can be leveraged in healthcare API security.
One highlight from the APIsecure conference was a presentation on asymmetric (public key) authentication and how a large company is using it to upgrade their authentication approaches. The presenter shared their company’s experience when switching from symmetric authentication to asymmetric authentication, and referenced a blog post that explained the benefits of this approach. Symmetric authentication can be riskier because it involves the use of one secret that must be known by two parties (i.e., the client and the server). Asymmetric authentication reduces risk by defining two keys: a public key that can be safely shared with anyone and a private key that is kept secret by the client. The math underlying asymmetric authentication allows for the client and the server to authenticate with only the public key being shared between them.
This asymmetric authentication approach is available as an optional capability that health IT developers may but are not required to support for certification in the ONC Certification Program. Health IT developers may include this capability when implementing the updated SMART Application Launch Framework implementation guide (IG) included in ONC’s 2022 Standards Advancement Process (SVAP) announcement. ONC also proposed requiring this updated IG for certification in the recent HTI-1 proposed rule. This example demonstrates how ONC enables health IT developers to implement upgraded capabilities established by the FHIR standards community to further secure, interoperable health data exchange.
Top API Security Threat: Broken Object Level Authorization (BOLA)
Securing modern day APIs means getting the basics right. One persistent security vulnerability highlighted during the conference is Broken Object Level Authorization (BOLA). BOLA currently sits at the top of the most recent OWASP API Security Top Ten – 2023. It is a problem for APIs across the tech industry and FHIR APIs are no exception, as reported in a 2021 white paper.
According to the paper, many of these BOLA vulnerabilities in FHIR APIs arise from improper implementation of authorization and authentication technology. Testing is an important practice for identifying and fixing mistakes before they can become vulnerabilities in live production APIs. The ONC Certification Program includes tests for BOLA as part of the process for certifying FHIR APIs to the § 170.315(g)(10) “Standardized API for patient and population services” certification criterion. For example, the “Limited Access App” tests probe for potential BOLA vulnerabilities in a FHIR API by trying to access unauthorized FHIR resources and alerting the tester if inappropriate access controls are detected.
We have included tests like these to ensure that certified FHIR APIs are developed with robust security, including advances in security standards, and are able to withstand potential malicious use. It is also important that FHIR API developers stay updated on the latest security techniques while maintaining a rigorous security posture.
Get involved
Conferences like APIsecure play an important role in fostering communities, including regulators, that work together to enable a secure health API ecosystem that ultimately benefits patients. ONC’s involvement in these discussions helps keep FHIR relevant in the API security community and vice versa.
This article was originally published on the Health IT Buzz and is syndicated here with permission.