Connect with us

Health Care

Playing With FHIR? Don’t Get Burned, White-hat Hacker Cautions




This October, cybersecurity expert Alissa Knight released a white paper in partnership with API threat protection vendor Aproov exploring how healthcare’s so-called last mile remains vulnerable to attacks.

The report, “Playing With FHIR,” was “the largest unveiling of vulnerabilities in the history of the healthcare industry since the first electronic healthcare system came online in the 1960s,” said Knight in her keynote at the HIMSS Healthcare Cybersecurity Forum on Monday. (HIMSS is Healthcare IT News‘ parent company.)

And its release, she noted, made an appropriately large splash.

“While extremely controversial, [the white paper] was a much-needed red pill for the healthcare industry on the clear and present danger in what can happen when a FHIR implementation isn’t properly secured,” she said.

“Congratulations, this is the very last presentation of this research,” Knight added with a smile, explaining that she’s ready to move on to other explorations. “‘Playing With FHIR’ has been over a year of my life, and it’s time to close the chapter on that.”

For the report, Knight tested three production FHIR APIs, which served an ecosystem of 48 apps and APIs. All told, the ecosystem covered aggregated electronic health record data from 25,000 providers and payers.

Knight’s report, she explained, found that 4 million patient and clinician records could be accessed from a single patient login account. Furthermore, 53% of the tested mobile apps had hard-coded API keys and tokens, which could be used to attack EHR APIs.

“It’s 2021, and we’re still hard-coding … it’s a real problem, we need to stop doing it,” she said.

“If there are any developers in the audience: Stop hardcoding API keys and tokens in the apps, especially ones that grant you access to an API as the only authentication.” She added: “If you’re going to do it, definitely obfuscate the code. Don’t make it so easy.”

Knight also found that 100% of FHIR APIs tested allowed API access to other patients’ health data using one patient’s credentials. And, she said, half of clinical data aggregators did not implement database segmentation.

So, what can developers and decision-makers do to ensure their API implementations are secure?

Knight laid out a few options:

Hack your own APIs and apps via penetration testing – before bad actors do.
Authenticate and authorize traffic.
Implement zero-trust architecture and “woman-in-the-middle” protections.
Find an API threat management tool that allows observability.
Prevent tool-generated traffic.

Knight emphasized the importance of securing patient information, which is permanent and lifelong.

“We are talking about people’s patient data, which is worth 1,000 times more on the dark web than a U.S. credit card number,” she said.

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.


Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Health Care

PatientBond, Vizient Team up for Digital Behavior Change Tools




Patient engagement SaaS provider PatientBond and healthcare performance improvement and analytics company Vizient are partnering up to provide Vizient member healthcare organizations with digital patient engagement and behavior change programs.

WHY IT MATTERSPatientBond’s digital engagement workflows can be personalized with psychographic insights, with the aim of activating patient behaviors and driving improved patient engagement and outcomes.

Through the partnership, Vizient’s customer base, which includes academic medical centers, pediatric facilities, and community hospitals, will offer programming including care gap closures, condition specific messaging, screenings and appointment reminders and appropriate use communications.

The aim of the programs is to reduce hospital readmissions and improve digital health risk assessments.

Other programs included in the deal will provide psychographically segmented marketing campaigns to advance patient/member activation, as well as patient and physician matching or find a doctor services based on psychographic insights.

The deal will also provide extensive market research insights and dynamic payment reminders for partners.

THE LARGER TRENDPatient-reported outcomes are a critical way to assess the ongoing state of patient health and satisfaction, and a growing number of digital tools are helping them do so.

The financial upside for care providers is also noteworthy: Jackson Hospital significantly improved its finances with digital patient engagement tools, switching from letters and phone calls to automated emails and text messages along with some help from analytics.

At Rush University Medical Center, the hospital has deployed similar digital tools to reduce the strain of avoidable readmissions and ED recidivism when resources already were at capacity.

Last year, Cardinal Health announced the launch of a digital patient engagement platform aimed at addressing medication adherence challenges – a significant issue for the health industry and patients.

In 2019, Vizient collaborated with Civica Rx on provider needs analytics data to reduce Rx costs. By providing insights into purchasing patterns and provider needs through its analytics and data capabilities, Vizient helped Civica Rx anticipate gaps in drug availability and affordability.

ON THE RECORD“PatientBond brings consumer science and dynamic intervention technologies to healthcare with unmatched clinical and business results,” said PatientBond CEO Justin Dearborn in a statement. “Vizient’s member healthcare organizations can benefit from PatientBond’s personalized patient engagement at scale with proven and consistent results.”

Nathan Eddy is a healthcare and technology freelancer based in Berlin.Email the writer: nathaneddy@gmail.comTwitter: @dropdeaded209

Source Here:

Continue Reading

Health Care

LifePoint Health Inks Data Deal With Health Catalyst




Brentwood, Tennessee-based LifePoint Health has entered a new collaboration with Health Catalyst and will use its analytics technologies to help bolster care quality, lower costs and improve population health management.

WHY IT MATTERSLifePoint Health will integrate Health Catalyst’s data operating system and analytics tools to gather performance metrics and drive improvements in healthcare quality, reporting and operational and financial decision-making.

By discovering and sharing clinical data, the partnership will help reduce variation in clinical outcomes. Health Catalyst’s tools dovetail with LifePoint’s national quality and facility recognition program goals to measurably improve patient care, safety and satisfaction as well as improve access and lower costs, according to the company.

In addition to the cloud-based data platform, LifePoint will use Health Catalyst’s analyzer, insights, AI, patient safety monitoring and data entry applications. The suite of tools can help increase organizational speed and interoperability, according to Health Catalyst.


While healthcare organizations are just beginning to scratch the surface of using data to drive improvements, according to Health Catalyst President Patrick Nelli, the company’s strategic acquisitions have provided them with the ability to customize software and services around core care systems.

One of them was its purchase earlier this year of KPI Ninja, whose event-driven data processing capabilities complement Health Catalyst’s own platform, enabling customers to build new services and operational tools around their core care systems.

LifePoint, meanwhile, has been making acquisitions of its own, such as its June 2021 addition of specialty hospital company Kindred Healthcare, with an eye toward a delivery network that taps into Kindred’s specialty hospital and rehabilitative expertise and its behavioral health platform.

ON THE RECORD“The Health Catalyst DOS platform, along with our technology product suites and applications, and improvement expertise, will best position LifePoint Health to achieve, sustain and scale the highest standards of care across its network,” said Health Catalyst CEO Dan Burton in a statement this week.

Andrea Fox is senior editor of Healthcare IT News.Email: afox@himss.orgHealthcare IT News is a HIMSS publication.


Continue Reading

Health Care

Fifteen Months for Domestic Worker Who Stole Jewellery




On Thursday, a Palma court sentenced a domestic worker to fifteen months for the theft of jewellery from her employer, a woman in her eighties.

Between 2015 and the end of 2020, the 45-year-old Chilean worked two days a week at the woman’s home in Sa Indioteria, Palma. Over that period, she stole various items of jewellery. The woman only realised this at the end of 2020, which was when she reported the matter to the National Police.

The police established that these items, which included watches, rings and bracelets, were sold in gold-buying establishments in Palma. The woman later verified that these were hers. As well as the jewellery, a hearing aid was stolen.

In January 2021, the domestic worker was arrested. Described as being in an “irregular situation” in Spain, her lawyer obtained agreement for the sentence to be suspended so long as a sum of 10,700 euros is paid over three years, at a rate of 297 euros per month, and she does not commit another crime during this period.


Continue Reading