Security on FHIRAndrew MarcusHealthcare Technology Lead
Amsterdam, 14-16 November | @HL7 @Asymmetrik | #fhirdevdays18 | asymmetrik.com/fhir
HL7®, FHIR® and the flame Design mark are registered trademarks of Health Level Seven International and are used with permission.
Your system can get hacked if:
● You’re building a FHIR server
● You’re building a FHIR app
● You’re building any kind of application
● You’re using Cloud Infrastructure
● You’re connected to the internet
● You’re not connected to the internet
Globally, in 2017:
● 53K+ reported incidents, 2,216 confirmed breaches
● Hacks primarily use known, unpatched vulnerabilities
● Healthcare sector is largest victim:
● 24% of all incidents
● 56% were from insidersSource: Verizon Data Breach Investigation Report 2018
Why do attackers target health systems?
* apologies to South Park
Cyber Criminal Business Plan
Phase 1 Phase 2 Phase 3
Download hacker tools Profit!
Selling Bulk Personal Data
Hacking for profit
Identity Theft, Benefits Fraud Ransomware
76% of all attacks are financially motivated
Ransomware is now offered as a service
Source: Verizon Data Breach Investigation Report 2018
Motivation
Graffiti
Gaining advantage or making a statement
Espionage DDoS
Source: Verizon Data Breach Investigation Report 2018
Motivation
Spy on your competitors
Place statement on a website
Take down a website
Targeted personal attack
Get pain medsAlter drug tests
Change health records
Attack medical devices
Obtain health records
RevengeLookup celebrity
Kill patients
Motivation
What do attackers want?
Business Sensitive Information
● Operations Data● Employee Lists
Personal Identifying Information (PII)
● Credit Cards● SSNs
Personal Health Information (PHI)
● Health Records● Device Data
Common types of attacks(an incomplete list)
Attacks usually involve many techniques
Using Bots to Scan for Vulnerabilities
Internet-Facing APIs
Application Code
Operating System
Internet
● Hackers are lazy
● Scripts test for all known vulnerabilities
● Might be randomly targeted
Database
Internet-Facing APIs
Attack
Thwart Bots
Apply all security patches
Use static code analysis• Snyk.io, Sonarqube, HP Fortify
Use a Web Application Firewall (WAF)
Close all unused portsDon’t assume attackers won’t know about latest vulnerabilities
Mitigation
SQL/NoSQL Injection
Internet-Facing APIs
Application Code
Operating System
● Pass database commands directly from a browser○ Get additional records○ Change/delete data
● Also works with NoSQL databases, i.e. MongoDB
Database
Internet
Internet-Facing APIs
Application Code
Database
Attack
An example of SQL Injection
Source: XKCD.com
Cross-Site Scripting (XSS)
Internet-Facing APIs
Application Code
Operating System
● Place bad JS on webpage and share with users
● JS can do bad things:○ Steal session cookie○ Install keylogger○ Read data on the page
Database
Internet
Internet-Facing APIs
Application Code
Attack
Block Injections
Always sanitize inputs
Use a database query abstraction layer (i.e. ORM)
Remove script tags from inputs before using
Look at OWASP Top-10 for good coding practices
Don’t trust the data in or out
Mitigation
Malicious HTML in FHIR Narrative
Internet-Facing APIs
Application Code
Operating System
● Include bad JS in HTML field of FHIR resource○ Runs in doctor’s scope
● Upload image attachment with executable payload○ Runs on server
Database
Internet
Internet-Facing APIs
Application Code
Database Operating System
Attack
Scrub Active ElementsScrub out all active elements• Not just onclick; also onhover,
onfocus, onerror…
Ensure image attachments are not executable
http://build.fhir.org/narrative.html
Open bug bounty! Never run unknown code
Auto-generate narrative
Mitigation
Compromised Credentials
Internet-Facing APIs
Application Code
Operating System
● Obtain credentials from user○ Phishing○ Brute-force
● Login as user
● Do anything user can do
Database
Internet
Internet-Facing APIs
Application Code
Database
CredentialsCredentials
Attack
Protect Credentials
Use 2FA, strong passwords and an org-wide password manager
Never share accounts
Don’t give employees more access than they need
Limit login attemptsPhishing is often the easiest way to get health data
Mitigation
A word on passwords
Source: XKCD.com
Passwords should be long
Other rules no longer apply
Internet
Man-in-the-Middle Attack
Internet-Facing APIs
Application Code
Operating System
● Intercept request○ Spoof DNS○ Sniff network traffic
● Intercept communication○ Steal sensitive data○ Impersonate user
Database
Internet-Facing APIs
Application Code
Database
Fake Server
Attack
Encrypt Everything
Always use encryption!
At least TLS 1.2
At least 256-bit AES keys
Use trusted certificates
Lock your domain names• Purchase similar domains
Disable support immediatelyfor TLS 1.0, 1.1 and SHA1
Mitigation
Internet
OAuth2 Token Shenanigans
Internet-Facing APIs
Application Code
Operating System
● Acquire valid JWT token
● Acquire signature key
● Alter token and re-sign○ Escalate privileges○ Change scope○ Change patient ID
Database
Application Code
Attack
OAuth ServerOAuth Server
Database
Stop Token ForgeryRequire tokens for all actions
Validate tokens with server
Use short expiration and random state parameter
Always have a server for apps to hide client secrets
Use JWE instead of JWSDon’t trust tokens without verifying them
Mitigation
JWS has a “none” signature algorithm
● If you say None, JWS validation tools say OK!● Unpatched JWS libraries still have this vulnerability
It is not OK. Use JWE instead
Payload Algorithm Signature
Querying for Unauthorized Data
Internet-Facing APIs
Application Code
Operating System
● Craft a clever query
● Surmise existence of recordshacker has no access to
Database
Internet
Application Code
Database
Attack
What should happen when a patient queries /patients search endpoint?
Pop Quiz!
● Successful result containing only authorized records○ 1 record if criteria matches patient○ 0 records if criteria do not match patient
● Exclude any evidence that other records exist
Plug Leaky Queries
Missing/Unauthorized data should be indistinguishable
Think about timing attacks
Don’t reveal log messages for internal system errors
http://build.fhir.org/security.html#AccessDenied
Don’t reveal more that the user needs to know
Mitigation
Recursive Denial of Service
Internet-Facing APIs
Application Code
Operating System
● Craft a query resulting in recursive object nesting
● Slows server to a crawl
● Other users denied access
Database
Internet
Application Code
Internet-Facing APIs
Attack
Malicious Terminology Expansion
Internet-Facing APIs
Application Code
Operating System
● Reference a bad URL
● Server queries bad URL to check code or Structure Def
● Response exploits your server in some way
Database
Internet
Bad Terminology Server
Attack
Application Code
Operating System
Control Nesting
Validate response from other servers
Maintain a whitelist of terminology servers
Limit recursive queries
Use scalable infrastructure Never trust external URLs
Mitigation
Privilege EscalationLateral Movement
Internet-Facing APIs
Application Code
Operating SystemDatabase
Internet
Internet-Facing APIs
Application Code
Operating System
Attack
● Once in application,gain access to OS
● Escalate to root user● Probe network● Find sensitive data
Application Code
Operating SystemSensitive Database
Application CodeSensitive DatabaseOperating System
Minimize Access
Microsegment your network
Close unneeded ports
Create separate user accounts
Monitor network traffic
Rotate secret keys Don’t allow any service or user account access to more than strictly necessary
Mitigation
Covering Your Tracks
Internet-Facing APIs
Application Code
Operating System
● Once hacker is in, removes logs to hide actions
● Attack can go undetected for months
Database (with logs)
Internet
Internet-Facing APIs
Application Code
Database (with logs) Operating System
Attack
Log Everything
Isolate logs from other data• Application logs• System logs• AuditEvent, Provenance
Make logs append-only
Use cloud-based logging• Elk, Splunk, Cloudwatch, etc
Don’t store your logs with the rest of your data
Mitigation
On-Prem Network
Example: a micro-segmented network
Unsecure NetworkHIPAA-Compliant
NetworkHIPAA-Compliant
VPN Network
VPNVPN
Internet
Public Website(e.g. Wordpress)
Secure Website(e.g. Patient Portal)
Service Proxy(e.g. LDAP)
Internal Service(e.g. LDAP)
Logging Services
X
Phoenix FHIR®
ServerSecurity Focused
Web-Scale Technologie
s
Datasource Agnostic
Extensible
● Open-Source on Node JS
● Easy to implement
● Supports any version of FHIR®
● Supports GraphQL
● Robust security framework
Security is built-in
Implements security best practices
Validates all data in and out
Separates log storage
Fully supports OAuth2 / SMART
Enforces authorization with scopes
Security tested as part of ONC Challenge● All findings reported publicly● All vulnerabilities were fixed
What’s your responsibility?
Defense is both deep and broad
Defense in Depth:• Must have security at every layer
Limit the Blast Radius:• Ensure a breach in one system
can’t spread to other systems
DevSecOpsDevelopmen
tSecurit
yOperations
Security is everyone’s problem
As a developer, it’s your responsibility to secure your code
http://build.fhir.org/security.html
• OAuth2
• Narrative
• Access Denied
• Error Handling
• Security Labels
Implement the security parts of FHIR
Security Labels
http://build.fhir.org/security-labels.html
● Provide finer-grained access control than scopes
● You must honor them● Do Not Store
● Delete After Use
There is no silver bullet for security● Protect as much as you can
● Keep your systems patched
● Conduct penetration testingon your own systems
● Offer bug bounties
● Expect the unexpected
● Go to FHIR DevDays Exercises and download our VM○ Contains insufficiently-secure FHIR server○ Contains hacking tools and instructions○ Contains some hidden vulnerabilities
Try out our hacking challenge
Security ResourcesFHIR Security Standards● https://www.hl7.org/fhir/security.html
SMART-on-FHIR Security Best Practices● http://docs.smarthealthit.org/authorization/best-practices/
OWASP Top-Ten Project● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Verizon Data Breach Investigation Report● https://enterprise.verizon.com/resources/reports/dbir/
Get Free Stuff!
https://asymmetrik.com/fhir
● Phoenix FHIR® Server code
● Blog Posts
● Podcasts
● … and some songs