Since October 1 has come and gone I am assuming most of us have implemented the API B2C for CCDA 2.1. I have but I would like to know what everyone else has done to try to secure things. My apprehension in doing this project is the fact that we are putting our Jboss server on the internet because that is the only way to get the FHIR server there. We were told to use a WAF (Web Application Firewall) to secure things and we did. I even built an Interop server to have some isolation but that is about it. The WAF, I suppose, is looking for strange traffic which could be malicious. Strange traffic, in my opinion, would be out of band data, brute force type attacks, impersonation, etc. A good hacker would make his traffic get through the WAF so that he could get to hacking the next piece of security. As I worked on this project I realized that we are on an older implementation of Jboss which is EAP 6.x. Jboss EAP 7.2 is now in beta, with EAP 7 already being several years old so we are possibly out of date. To my knowledge we only update Jboss during version upgrades and maybe service pack upgrade. I certainly update Windows but I can not update Jboss without possibly breaking something or becoming "unsupported". I think any "achilles heel" here would be Jboss.
I always see traffic from all over the world and I do block China, Russia, Ukraine, Brazil and the other offenders I see regularly but there is nothing stopping the bad guys from renting some AWS clouds to do their dirty work anyway. I do not know if we need to keep access to these countries to get credit for the API rule so I haven't blocked any countries yet. I do have some other countermeasures in place but that really only prevents the most obvious bots/hackers.
Edit: I wanted to add that I had discussions with many support people about this stuff and some of them said things like "talk to your security people" and "we don't dictate how you should do this" as some of the support people spoke like lawyers. Well, I do the security for the organization as well as many other things and I have questions. Everything I have ever put on the web was designed to be there, like web servers, email, patient portal, VPNs, etc. This implementation is an add-on to what we have used for many years and that is new to me, especially since we are ultimately responsible.
Have any of you implemented additional counter measures?
Mike Zavolas
Tallahassee Neurological Clinic
Posted : October 3, 2019 1:26 am