EXPLORING SECURITY VULNERABILITIES IN FHIR SERVER IMPLEMENTATIONS: A CASE STUDY ON IBM’S FHIR SERVER IN THE CONTEXT OF THE 21ST CENTURY CURES ACT
Date
2024
Authors
Contributor
Advisor
Department
Instructor
Depositor
Speaker
Researcher
Consultant
Interviewer
Narrator
Transcriber
Annotator
Journal Title
Journal ISSN
Volume Title
Publisher
Volume
Number/Issue
Starting Page
Ending Page
Alternative Title
Abstract
The 21st Century Cures Act[1], enacted in 2016, marked a pivotal shift in healthcare technology by mandating interoperability and patient access to health data. Central to this transformation is the utilization of Application Programming Interfaces (API), which play a critical role in the seamless exchange of health information. The Interoperability and Patient Access final rule[9], stemming from this Act, delineates a clear roadmap for healthcare data standards, with a particular emphasis on Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR)[26] standards. This rule also introduces the consumer app API rule, designed to enhance data exchange among diverse health stakeholders. These advancements are instrumental in fostering interoperability and actively engaging patients in their healthcare journey.
This thesis examines the pressing need for robust security measures in the rapid implementation of FHIR servers, highlighted by the Act’s urgent compliance deadlines which may have inadvertently led to potential security compromises, with a particular emphasis on International Business Machines’ (IBM) FHIR Server. This research is anchored on three pivotal questions:
1. Identifying common security vulnerabilities in FHIR server implementations, specifically IBM’s FHIR Server, and understanding how these vulnerabilities vary across different deployment configurations and usage scenarios.
2. Recommending best practices for enhancing the security of IBM’s FHIR Server based on penetration testing outcomes, while addressing potential challenges in implementing these enhancements.
3. Assessing the impact of FHIR server security vulnerabilities on compliance with healthcare regulations such as Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR), and evaluating the role of penetration testing in ensuring regulatory compliance.
This investigation employs empirical security assessments to explore the vulnerabilities inherent in current FHIR server deployments and proposes a series of best practices to mitigate these issues. The findings highlight the critical need for incorporating robust security measures at the early stages of FHIR server implementation to safeguard patient data and comply with legal standards. By detailing the vulnerabilities and offering mitigation strategies, this thesis contributes to the ongoing discussion on securing digital health infrastructures and underscores the importance of rigorous security practices in the rapidly evolving healthcare technology landscape.
Description
Keywords
Computer science, 21st Century Cures Act, FHIR Server Security, Healthcare API Cybersecurity, Healthcare Data Compliance (HIPAA), Penetration Testing FHIR Standards, SMART Authentication in Healthcare
Citation
Extent
138 pages
Format
Geographic Location
Time Period
Related To
Related To (URI)
Table of Contents
Rights
All UHM dissertations and theses are protected by copyright. They may be viewed from this source for any purpose, but reproduction or distribution in any format is prohibited without written permission from the copyright owner.
Rights Holder
Local Contexts
Collections
Email libraryada-l@lists.hawaii.edu if you need this content in ADA-compliant format.