security on fhir - fhir devdays€¦ · (e.g. wordpress) secure website (e.g. patient portal)...

Security on FHIRAndrew MarcusHealthcare Technology Lead

Amsterdam, 14-16 November | @HL7 @Asymmetrik | #fhirdevdays18 | asymmetrik.com/fhir

HL7®, FHIR® and the flame Design mark are registered trademarks of Health Level Seven International and are used with permission.

Your system can get hacked if:

● You’re building a FHIR server

● You’re building a FHIR app

● You’re building any kind of application

● You’re using Cloud Infrastructure

● You’re connected to the internet

● You’re not connected to the internet

Globally, in 2017:

● 53K+ reported incidents, 2,216 confirmed breaches

● Hacks primarily use known, unpatched vulnerabilities

● Healthcare sector is largest victim:

● 24% of all incidents

● 56% were from insidersSource: Verizon Data Breach Investigation Report 2018

Why do attackers target health systems?

* apologies to South Park

Cyber Criminal Business Plan

Phase 1 Phase 2 Phase 3

Download hacker tools Profit!

Selling Bulk Personal Data

Hacking for profit

Identity Theft, Benefits Fraud Ransomware

76% of all attacks are financially motivated

Ransomware is now offered as a service

Source: Verizon Data Breach Investigation Report 2018

Motivation

Graffiti

Gaining advantage or making a statement

Espionage DDoS

Source: Verizon Data Breach Investigation Report 2018

Motivation

Spy on your competitors

Place statement on a website

Take down a website

Targeted personal attack

Get pain medsAlter drug tests

Change health records

Attack medical devices

Obtain health records

RevengeLookup celebrity

Kill patients

Motivation

What do attackers want?

Business Sensitive Information

● Operations Data● Employee Lists

Personal Identifying Information (PII)

● Credit Cards● SSNs

Personal Health Information (PHI)

● Health Records● Device Data

Common types of attacks(an incomplete list)

Attacks usually involve many techniques

Using Bots to Scan for Vulnerabilities

Internet-Facing APIs

Application Code

Operating System

Internet

● Hackers are lazy

● Scripts test for all known vulnerabilities

● Might be randomly targeted

Database

Internet-Facing APIs

Attack

Thwart Bots

Apply all security patches

Use static code analysis• Snyk.io, Sonarqube, HP Fortify

Use a Web Application Firewall (WAF)

Close all unused portsDon’t assume attackers won’t know about latest vulnerabilities

Mitigation

SQL/NoSQL Injection

Internet-Facing APIs

Application Code

Operating System

● Pass database commands directly from a browser○ Get additional records○ Change/delete data

● Also works with NoSQL databases, i.e. MongoDB

Database

Internet

Internet-Facing APIs

Application Code

Database

Attack

An example of SQL Injection

Source: XKCD.com

Cross-Site Scripting (XSS)

Internet-Facing APIs

Application Code

Operating System

● Place bad JS on webpage and share with users

● JS can do bad things:○ Steal session cookie○ Install keylogger○ Read data on the page

Database

Internet

Internet-Facing APIs

Application Code

Attack

Block Injections

Always sanitize inputs

Use a database query abstraction layer (i.e. ORM)

Remove script tags from inputs before using

Look at OWASP Top-10 for good coding practices

Don’t trust the data in or out

Mitigation

Malicious HTML in FHIR Narrative

Internet-Facing APIs

Application Code

Operating System

● Include bad JS in HTML field of FHIR resource○ Runs in doctor’s scope

● Upload image attachment with executable payload○ Runs on server

Database

Internet

Internet-Facing APIs

Application Code

Database Operating System

Attack

Scrub Active ElementsScrub out all active elements• Not just onclick; also onhover,

onfocus, onerror…

Ensure image attachments are not executable

http://build.fhir.org/narrative.html

Open bug bounty! Never run unknown code

Auto-generate narrative

Mitigation

Compromised Credentials

Internet-Facing APIs

Application Code

Operating System

● Obtain credentials from user○ Phishing○ Brute-force

● Login as user

● Do anything user can do

Database

Internet

Internet-Facing APIs

Application Code

Database

CredentialsCredentials

Attack

Protect Credentials

Use 2FA, strong passwords and an org-wide password manager

Never share accounts

Don’t give employees more access than they need

Limit login attemptsPhishing is often the easiest way to get health data

Mitigation

A word on passwords

Source: XKCD.com

Passwords should be long

Other rules no longer apply

Internet

Man-in-the-Middle Attack

Internet-Facing APIs

Application Code

Operating System

● Intercept request○ Spoof DNS○ Sniff network traffic

● Intercept communication○ Steal sensitive data○ Impersonate user

Database

Internet-Facing APIs

Application Code

Database

Fake Server

Attack

Encrypt Everything

Always use encryption!

At least TLS 1.2

At least 256-bit AES keys

Use trusted certificates

Lock your domain names• Purchase similar domains

Disable support immediatelyfor TLS 1.0, 1.1 and SHA1

Mitigation

Internet

OAuth2 Token Shenanigans

Internet-Facing APIs

Application Code

Operating System

● Acquire valid JWT token

● Acquire signature key

● Alter token and re-sign○ Escalate privileges○ Change scope○ Change patient ID

Database

Application Code

Attack

OAuth ServerOAuth Server

Database

Stop Token ForgeryRequire tokens for all actions

Validate tokens with server

Use short expiration and random state parameter

Always have a server for apps to hide client secrets

Use JWE instead of JWSDon’t trust tokens without verifying them

Mitigation

JWS has a “none” signature algorithm

● If you say None, JWS validation tools say OK!● Unpatched JWS libraries still have this vulnerability

It is not OK. Use JWE instead

Payload Algorithm Signature

Querying for Unauthorized Data

Internet-Facing APIs

Application Code

Operating System

● Craft a clever query

● Surmise existence of recordshacker has no access to

Database

Internet

Application Code

Database

Attack

What should happen when a patient queries /patients search endpoint?

Pop Quiz!

● Successful result containing only authorized records○ 1 record if criteria matches patient○ 0 records if criteria do not match patient

● Exclude any evidence that other records exist

Plug Leaky Queries

Missing/Unauthorized data should be indistinguishable

Think about timing attacks

Don’t reveal log messages for internal system errors

http://build.fhir.org/security.html#AccessDenied

Don’t reveal more that the user needs to know

Mitigation

Recursive Denial of Service

Internet-Facing APIs

Application Code

Operating System

● Craft a query resulting in recursive object nesting

● Slows server to a crawl

● Other users denied access

Database

Internet

Application Code

Internet-Facing APIs

Attack

Malicious Terminology Expansion

Internet-Facing APIs

Application Code

Operating System

● Reference a bad URL

● Server queries bad URL to check code or Structure Def

● Response exploits your server in some way

Database

Internet

Bad Terminology Server

Attack

Application Code

Operating System

Control Nesting

Validate response from other servers

Maintain a whitelist of terminology servers

Limit recursive queries

Use scalable infrastructure Never trust external URLs

Mitigation

Privilege EscalationLateral Movement

Internet-Facing APIs

Application Code

Operating SystemDatabase

Internet

Internet-Facing APIs

Application Code

Operating System

Attack

● Once in application,gain access to OS

● Escalate to root user● Probe network● Find sensitive data

Application Code

Operating SystemSensitive Database

Application CodeSensitive DatabaseOperating System

Minimize Access

Microsegment your network

Close unneeded ports

Create separate user accounts

Monitor network traffic

Rotate secret keys Don’t allow any service or user account access to more than strictly necessary

Mitigation

Covering Your Tracks

Internet-Facing APIs

Application Code

Operating System

● Once hacker is in, removes logs to hide actions

● Attack can go undetected for months

Database (with logs)

Internet

Internet-Facing APIs

Application Code

Database (with logs) Operating System

Attack

Log Everything

Isolate logs from other data• Application logs• System logs• AuditEvent, Provenance

Make logs append-only

Use cloud-based logging• Elk, Splunk, Cloudwatch, etc

Don’t store your logs with the rest of your data

Mitigation

On-Prem Network

Example: a micro-segmented network

Unsecure NetworkHIPAA-Compliant

NetworkHIPAA-Compliant

VPN Network

VPNVPN

Internet

Public Website(e.g. Wordpress)

Secure Website(e.g. Patient Portal)

Service Proxy(e.g. LDAP)

Internal Service(e.g. LDAP)

Logging Services

X

Phoenix FHIR®

ServerSecurity Focused

Web-Scale Technologie

s

Datasource Agnostic

Extensible

● Open-Source on Node JS

● Easy to implement

● Supports any version of FHIR®

● Supports GraphQL

● Robust security framework

Security is built-in

Implements security best practices

Validates all data in and out

Separates log storage

Fully supports OAuth2 / SMART

Enforces authorization with scopes

Security tested as part of ONC Challenge● All findings reported publicly● All vulnerabilities were fixed

What’s your responsibility?

Defense is both deep and broad

Defense in Depth:• Must have security at every layer

Limit the Blast Radius:• Ensure a breach in one system

can’t spread to other systems

DevSecOpsDevelopmen

tSecurit

yOperations

Security is everyone’s problem

As a developer, it’s your responsibility to secure your code

http://build.fhir.org/security.html

• OAuth2

• Narrative

• Access Denied

• Error Handling

• Security Labels

Implement the security parts of FHIR

Security Labels

http://build.fhir.org/security-labels.html

● Provide finer-grained access control than scopes

● You must honor them● Do Not Store

● Delete After Use

There is no silver bullet for security● Protect as much as you can

● Keep your systems patched

● Conduct penetration testingon your own systems

● Offer bug bounties

● Expect the unexpected

● Go to FHIR DevDays Exercises and download our VM○ Contains insufficiently-secure FHIR server○ Contains hacking tools and instructions○ Contains some hidden vulnerabilities

Try out our hacking challenge

Security ResourcesFHIR Security Standards● https://www.hl7.org/fhir/security.html

SMART-on-FHIR Security Best Practices● http://docs.smarthealthit.org/authorization/best-practices/

OWASP Top-Ten Project● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Verizon Data Breach Investigation Report● https://enterprise.verizon.com/resources/reports/dbir/

Get Free Stuff!

https://asymmetrik.com/fhir

● Phoenix FHIR® Server code

● Blog Posts

● Podcasts

● … and some songs

Andrew Marcusandrew@asymmetrik.com

Thank You!

https://asymmetrik.com/fhir