Get Ready for a Showdown! – The Secure API Server Showdown Challenge

Steven Posnack | October 10, 2017

In 2014, man created FHIR.

In other words, that is when the Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®) standard was released as a first draft standard for trial use (“FHIR DSTU1”) for implementation in health information technology (health IT) software. FHIR is a standardized way to exchange health information that’s similar to the way we experience using the Internet. The FHIR standard’s security page notes, however, that FHIR “is not a security protocol, nor does it define any security related functionality” so it needs to be paired with appropriate security standards when it comes to deploying, for example, a production-grade FHIR server.

Thankfully, many security standards already exist for web services and can be applied to FHIR. Specific to health IT, the Argonaut Project’s Data Query Implementation Guide, being deployed by many health IT developers, points to the SMART APP Authorization Guide for its security layer. Implementing security in health IT is necessary and some of the specifications are not for the faint-hearted, but it’s important that the industry gets as much experience as possible when deploying secure, FHIR servers.

To that end, and with National Cybersecurity Awareness Month underway, the Office of the National Coordinator for Health IT (ONC) is pleased to announce the Secure API Server Showdown Challenge. The Challenge invites interested stakeholders to build secure FHIR servers using current industry standards and best practices. Ultimately, the Challenge aims to identify unknown security vulnerabilities in the way open source FHIR servers are implemented, and will result in a hardened code base from which all stakeholders can benefit as they deploy FHIR servers in the future.

The Challenge will include two Stages. In Stage 1, participants will each develop and submit for judging a secured FHIR server. Three winning servers will be chosen to advance to Stage 2 where they will face teams of security minded people vying to find security vulnerabilities.

Stage 1: The Server Build Stage

  • Three Stage 1 winners will be selected. These winners will advance to Stage 2’s Server Track and be eligible to collect a $10,000 prize at the end of Stage 2.

Stage 2: The Vulnerability Discovery Stage

  • Stage 2 will include two tracks: the Server Track and the Discovery Track.
  • Server Track participants will need to operate their Stage 1 winning FHIR servers throughout Stage 2 and review potential vulnerabilities submitted by Discovery Track teams.
  • Discovery Track teams will compete for the following prizes during Stage 2:
    • “Most cumulative confirmed vulnerabilities discovered” which will include 1st, 2nd, and 3rd place prizes for the teams who find the most number of confirmed vulnerabilities during the Challenge (at $7,500, $5,000 and $2,500, respectively).
    • Two $2,500 bonus prizes will be available to any participating Discovery Track team.
      • Bonus prize #1: Most confirmed vulnerabilities discovered in a single FHIR server.
      • Bonus prize #2: Demonstrated ability to change patient data in a FHIR server.

At the end of the Challenge, the winning servers’ source code from Stage 1 must be made publicly and openly available consistent with the MIT License, along with a list of all confirmed security vulnerabilities discovered during Stage 2. Through this transparent process and outcome, we encourage stakeholders to step up and update the published code to further harden each server’s code base.

Now…let’s get ready for a showdown!