- ONC is challenging healthcare stakeholders to build secure Fast Healthcare Interoperability Resources (FHIR) servers to improve health IT security and ensure that secure FHIR options are available in the future.
The Secure API Server Showdown Challenge will ideally “identify unknown security vulnerabilities in the way open source FHIR servers are implemented,” ONC Office of Standards and Technology Director Steven Posnack, MS, MHS, wrote in a blog post.
“FHIR is a standardized way to exchange health information that’s similar to the way we experience using the Internet,” Posnack explained. “The FHIR standard’s security page notes, however, that FHIR ‘is not a security protocol, nor does it define any security related functionality’ so it needs to be paired with appropriate security standards when it comes to deploying, for example, a production-grade FHIR server.”
The Challenge consists of two stages, the first of which has contestants developing and submitting a secured FHIR server for judging, he wrote. Winners advance to Stage 2 and will be eligible to collect a $10,000 prize.
The first track of Stage 2 requires participants “to operate their Stage 1 winning FHIR servers throughout Stage 2 and review potential vulnerabilities submitted by Discovery Track teams.”
The second track is called “Discovery Track,” and has participants competing for the following:
- Most cumulative confirmed vulnerabilities discovered” which will include 1st, 2nd, and 3rd place prizes for the teams who find the most number of confirmed vulnerabilities during the Challenge (at $7,500, $5,000 and $2,500, respectively).
- Two $2,500 bonus prizes will be available to any participating Discovery Track team.
Finding the most confirmed vulnerabilities in a single FHIR server and proving a demonstrated ability to change patient data in a FHIR server are the two bonus prize requirements, according to ONC.
Stage 1 winning servers’ source code must be made publicly and openly available consistent with the MIT License, Posnack stated. All confirmed security vulnerabilities discovered during Stage 2 will also need to be made publicly available.
“Through this transparent process and outcome, we encourage stakeholders to step up and update the published code to further harden each server’s code base,” he concluded.
APIs can have a significant impact in healthcare as they can further advance interoperability. However, lackluster security standards have been previously touted as a top concern for the technology.
APIs could potentially remove many barriers to the sharing of health information between providers, patients, according to a late 2016 Commonwealth Fund blog post.
“In addition, not all types of APIs are equal when it comes to sharing digital health information,” wrote the authors, including Commonwealth Fund Senior Vice President for Policy and Research Eric Schneider, MD, MSc. “Some restrictive APIs could even be used instead to block patients from accessing their health information.”
The HITECH Act, MACRA, and the 21st Century Cures Act could all help push the idea of APIs forward, the post stated.
“The certification program incentivizes the exchange of interoperable information between EHRs and other health IT systems such as apps, pharmacy systems, or laboratories,” the authors said. “APIs for EHRs must include features such as identity authentication and must enable secure exchange of digital health data in a form that can be read and used by other computers the way a shopping order from one computer can be verified by another.”
The Commonwealth Fund also suggested that “HHS and/or Congress could fund development of open-source, standards-based API for EHR technologies through standards development organizations or groups of industry representatives.”
A clear path for innovative uses of electronic health data can be created by healthcare policymakers, delivery system leaders, and consumer advocates encouraging open API usage, the authors stressed. This will also help to improve healthcare’s quality and affordability.