Top Tweets for #HackingFHIR
Hack healthcare? Check! Excellence in journalism! The always brilliant journalist, @beckyphilmath has published an article highlighting my research into hacking healthcare APIs in a new @techradar article at https://t.co/lIwXv18Nqr
#HackingFHIR #HackingHealthcare #APISecurity
My message to the #FHIR community on the public response to my white paper #PlayingWithFHIR: Hacking FHIR #API Implementations by some FHIR community members on social media https://t.co/K0kjXD2a4A
@HL7 @approov_io @knightinkmedia #KnightWriter #HackingAPIs #HackingFHIR
@amalec No, the #WITM is a real attack vector that YOU need to worry about.
the how to do it is something any competent hacker, black or white, can easily execute. You may assess the risk as low. I don’t want to be you when that backfires.
#HackingFHIR
In terms of quality, the content here, with a few small modifications, could easily make it through peer review.
I've seen worse in peer reviewed journals, and the art isn't nearly as good.
#HackingFHIR
For appendix G&H, I must say:
If you offer write capacity in any way, invest double or treble the effort you in securing applications.
This is where people can die as a result of unsecured data access. Threats so far have been to privacy, but this threatens life
#HackingFHIR
If you haven't figured it out yet, I'm having to pause for a bit in my deep reading, but should get back to it later this afternoon/evening.
#HackingFHIR
A day or two of research would have greatly added value to this report. How many of these Apps were HACP, HonCode certified or developed by a HITRUST certified company?
We don't know, and I suspect that @alissaknight doesn't either, a follow-up would be good.
#HackingFHIR
It's interesting because someone who spent a year hacking FHIR isn't aware of formal certification bodies for apps.
1. https://t.co/RiDCA4gSy2
2. https://t.co/ybNBlE7WnL
3. https://t.co/oW7uEOSHav
4. https://t.co/OqLPzgzuyX
That's two pages of a google search.
#HackingFHIR
On to recommendations at page 21:
This is an interesting comment:
"If there existed some formal certification body for apps, and the certification status of a given app could be programmatically verified ..."
#HackingFHIR
Why is that important? Because I cannot interpret the results without understanding the population behind the data for the results being reported. If you report on quantities (or percentiles) for companies, you need to give me N for companies.
#HackingFHIR
We know that 4 healthcare institutions and 48 apps were tested, but how many companies? And how many apps from the same company? There has to be at least 4, and at most 46 (though unlikely), probably somewhere around 25-ish. But that number is not reported yet.
#HackingFHIR
I got a D in geometry in 10th grade not because I couldn't come up with the right answer, but because I always skipped the (to me) obvious steps. This report does that too.
#HackingFHIR
I'd love to ask @williamhersh to grade this as if he were grading a research report, based solely on expected content (not formatting or style). It would be lucky to get a C. That doesn't mean the content in this report is bad. Far from it.
#HackingFHIR
There's a way to present this that I've learned from my MBI program through @OHSUInformatics. This research report would have benefitted in reporting in that fashion. Sure, use cool graphics, but present the expected material in the expected order.
#HackingFHIR
I think @alissaknight should read some @EdwardTufte. The charts on page 17 clearly have been through marketing hands. The scales aren't labeled and don't make sense, the heights don't line up.
I'm hoping that later text will clarify this.
#HackingFHIR
I cannot actually interpret the graphics on page 17 because they lack explanation. There's a standard way in research to report a) the nature of the data, and distinguish that from b) the results. It's not clear whether tables on page 17 represent a or b or both.
#HackingFHIR
"With one patient engagement app,
the API endpoint sent me all the
patient and clinician records in its
database, indicating it was using
the mobile app to filter out just my
record."
This is unconscionable security negligence
#HackingFHIR
"For the vulnerabilities allowing me
unauthorized access to other
patient data, I was logged in as a
patient that should have limited
scope to just my records."
I nailed that one here: https://t.co/K2NBc1eJfe
But there's more @alissaknight found
#HackingFHIR
OK, so this is the big surprise to me. At least 25 apps made it to market without adequate security testing.
Checking for embedded tokens should be part of ANY application security scan, #HealthIT or otherwise.
This is JUST BASIC Security so far.
#HackingFHIR
And 100% of mobile apps were subject to #WITM (woman in the middle) attacks.
Perhaps also to MITM attacks to, but only for smart men ;-)
And 53% had hard-coded secrets (passwords) embedded in the code). WTAF?
#HackingFHIR
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.4M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.7M followers
Cristiano Ronaldo
@cristiano
110M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.5M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.8M followers
KATY PERRY
@katyperry
87.4M followers
Taylor Swift
@taylorswift13
81.2M followers
Lady Gaga
@ladygaga
72.7M followers
Kim Kardashian
@kimkardashian
69.6M followers
Virat Kohli
@imvkohli
69.4M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.7M followers
The Ellen Show
@theellenshow
62.5M followers
Neymar Jr
@neymarjr
62.1M followers
CNN
@cnn
61.9M followers
X
@x
60.8M followers
Selena Gomez
@selenagomez
60.5M followers