[{"innerBlocks":[],"name":"core\/freeform","postId":2124,"blockType":{"name":"core\/freeform","keywords":[],"attributes":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"providesContext":[],"usesContext":[],"selectors":[],"supports":{"className":false,"customClassName":false,"reusable":false},"styles":[],"variations":[],"apiVersion":3,"title":"Classic","description":"Use the classic WordPress editor.","category":"text"},"originalContent":"Boston-based 1upHealth is the Stage 2 winner of the Office of the National Coordinator for Health IT\u2019s Secure API Server Showdown Challenge, designed to address the potential security vulnerabilities of servers using HL7\u2019s emerging Fast Healthcare Interoperability Resources (FHIR) standard.

In Stage 1 of ONC\u2019s challenge, technology and analytics firm Asymmetrik developed an open source FHIR server based on current industry technical standards, best practices, and recently issued healthcare-specific technical requirements for security.

However, in Stage 2, 1upHealth hacked into Asymmetrik\u2019s FHIR server to find security vulnerabilities that a malicious hacker could potentially exploit and to identify ways to strengthen the server while improving the overall security.

\u201cStage 2 was all about how to figure out how to lock down the FHIR server,\u201d says Gajen Sunthara, co-founder of 1upHealth, who notes that his company has developed its own secure FHIR API server. \u201cWe found vulnerabilities in Asymmetrik\u2019s FHIR server, and that\u2019s how we won this challenge.\u201d

Sunthara adds that the purpose of such \u201cethical\u201d hacking is to uncover previously unknown system vulnerabilities\u2014a practice that the Department of Defense has successfully instituted with similar hackathon events.

Also See<\/b>: Fed agencies look to encourage use of ethical hacking in healthcare<\/a>

According to 1upHealth, all the vulnerabilities discovered in the FHIR server\u2019s code specifically involved the OAuth2 (authorization framework) implementation.

\u201cDevelopers should not build their own OAuth2 implementation,\u201d warned 1upHealth on their website. \u201cUse something open source or an API gateway off the shelf. Those solutions have been battle tested by thousands of people. The FHIR server logic is only a small part of the full security model. Most of the security should be in the first layer, which doles out keys to access data like the OAuth2 implementation.\u201d

The source code 1upHealth used to hack into Asymmetrik\u2019s FHIR server has been posted on GitHub<\/a> for public use.

\u201cAs a result of this challenge, a unique open-source FHIR implementation using JavaScript, Node.js and MongoDB is now available for industry developers to build upon,\u201d according to ONC. \u201cThis implementation meets the security technical requirements as specified in the Argonaut Data Query Implementation Guide Version 1.0.0.\u201d

In March, 1upHealth was also announced as a Phase 2 winner in ONC\u2019s Health Data Provenance Challenge. Data provenance provides the ability to trace and verify when and who created information, how it has been used or moved among different data sources, and how it has been modified throughout its lifecycle as it has been exchanged.

ONC issued that challenge to industry to promote the use of data provenance by health IT systems in an effort to help identify erroneous information while improving data accuracy and ultimately patient safety. 1upHealth\u2019s winning solution <\/b>leveraged FHIR and blockchain technology.","saveContent":"Boston-based 1upHealth is the Stage 2 winner of the Office of the National Coordinator for Health IT\u2019s Secure API Server Showdown Challenge, designed to address the potential security vulnerabilities of servers using HL7\u2019s emerging Fast Healthcare Interoperability Resources (FHIR) standard.

In Stage 1 of ONC\u2019s challenge, technology and analytics firm Asymmetrik developed an open source FHIR server based on current industry technical standards, best practices, and recently issued healthcare-specific technical requirements for security.

However, in Stage 2, 1upHealth hacked into Asymmetrik\u2019s FHIR server to find security vulnerabilities that a malicious hacker could potentially exploit and to identify ways to strengthen the server while improving the overall security.

\u201cStage 2 was all about how to figure out how to lock down the FHIR server,\u201d says Gajen Sunthara, co-founder of 1upHealth, who notes that his company has developed its own secure FHIR API server. \u201cWe found vulnerabilities in Asymmetrik\u2019s FHIR server, and that\u2019s how we won this challenge.\u201d

Sunthara adds that the purpose of such \u201cethical\u201d hacking is to uncover previously unknown system vulnerabilities\u2014a practice that the Department of Defense has successfully instituted with similar hackathon events.

Also See<\/b>: Fed agencies look to encourage use of ethical hacking in healthcare<\/a>

According to 1upHealth, all the vulnerabilities discovered in the FHIR server\u2019s code specifically involved the OAuth2 (authorization framework) implementation.

\u201cDevelopers should not build their own OAuth2 implementation,\u201d warned 1upHealth on their website. \u201cUse something open source or an API gateway off the shelf. Those solutions have been battle tested by thousands of people. The FHIR server logic is only a small part of the full security model. Most of the security should be in the first layer, which doles out keys to access data like the OAuth2 implementation.\u201d

The source code 1upHealth used to hack into Asymmetrik\u2019s FHIR server has been posted on GitHub<\/a> for public use.

\u201cAs a result of this challenge, a unique open-source FHIR implementation using JavaScript, Node.js and MongoDB is now available for industry developers to build upon,\u201d according to ONC. \u201cThis implementation meets the security technical requirements as specified in the Argonaut Data Query Implementation Guide Version 1.0.0.\u201d

In March, 1upHealth was also announced as a Phase 2 winner in ONC\u2019s Health Data Provenance Challenge. Data provenance provides the ability to trace and verify when and who created information, how it has been used or moved among different data sources, and how it has been modified throughout its lifecycle as it has been exchanged.

ONC issued that challenge to industry to promote the use of data provenance by health IT systems in an effort to help identify erroneous information while improving data accuracy and ultimately patient safety. 1upHealth\u2019s winning solution <\/b>leveraged FHIR and blockchain technology.","order":0,"get_parent":{},"attributes":[],"attributesType":{"content":{"type":"string","source":"raw"},"lock":{"type":"object"}},"dynamicContent":""}]

1upHealth wins Stage 2 of ONC Secure API Server Showdown Challenge

More for you