Winner helped to find security weaknesses in database
The Department of Health and Human Service’s Office of the National Coordinator for Health Information Technology (ONC) (@ONC_HealthIT) announced the Stage 2 winner of the “Secure API Server Showdown” Challenge. Application programming interfaces (APIs) are technology that allow one software program to access the services provided by another software program. The 21st Century Cures Act calls for the development of APIs that do not require “special effort” for developers to access and exchange health information.
The challenge sought to engage the health IT industry to identify Fast Healthcare Interoperability Resources (FHIR®) servers that reinforce the value of following technical security best practices on an industry-wide scale. These best practices ensure the most widely-accepted and effective measures are taken resulting in a high quality, secure FHIR server, further helping to protect the health information it contains. The winner of the challenge is 1upHealth.
In Stage 1 of the challenge, Asymmetrik built a secure, Health Level 7 (HL7®) FHIR server using current industry technical standards, best practices, and recently issued healthcare-specific technical requirements for security. This included using the Substitutable Medical Apps, Reusable Technology (SMART) App Authorization Guide.
To win stage 2, participants were tasked with finding weaknesses in the FHIR server developed by Asymmetrik. 1upHealth identified ways to strengthen the open source FHIR server, improving the overall security of the server and supporting the sensitive patient data being stored or transmitted.
As a result of this challenge, a unique open source FHIR implementation using JavaScript, Node.js and MongoDB is now available for industry developers to build upon. This implementation meets the security technical requirements as specified in the Argonaut Data Query Implementation Guide Version 1.0.0. The source code is available for public use on GitHub.