Since October 1 has come and gone I am assuming most of us have implemented the API B2C for CCDA 2.1. I have but I would like to know what everyone else has done to try to secure things. My apprehension in doing this project is the fact that we are putting our Jboss server on the internet because that is the only way to get the FHIR server there. We were told to use a WAF (Web Application Firewall) to secure things and we did. I even built an Interop server to have some isolation but that is about it. The WAF, I suppose, is looking for strange traffic which could be malicious. Strange traffic, in my opinion, would be out of band data, brute force type attacks, impersonation, etc. A good hacker would make his traffic get through the WAF so that he could get to hacking the next piece of security. As I worked on this project I realized that we are on an older implementation of Jboss which is EAP 6.x. Jboss EAP 7.2 is now in beta, with EAP 7 already being several years old so we are possibly out of date. To my knowledge we only update Jboss during version upgrades and maybe service pack upgrade. I certainly update Windows but I can not update Jboss without possibly breaking something or becoming "unsupported". I think any "achilles heel" here would be Jboss.
I always see traffic from all over the world and I do block China, Russia, Ukraine, Brazil and the other offenders I see regularly but there is nothing stopping the bad guys from renting some AWS clouds to do their dirty work anyway. I do not know if we need to keep access to these countries to get credit for the API rule so I haven't blocked any countries yet. I do have some other countermeasures in place but that really only prevents the most obvious bots/hackers.
Edit: I wanted to add that I had discussions with many support people about this stuff and some of them said things like "talk to your security people" and "we don't dictate how you should do this" as some of the support people spoke like lawyers. Well, I do the security for the organization as well as many other things and I have questions. Everything I have ever put on the web was designed to be there, like web servers, email, patient portal, VPNs, etc. This implementation is an add-on to what we have used for many years and that is new to me, especially since we are ultimately responsible.
Have any of you implemented additional counter measures?
Mike Zavolas
Tallahassee Neurological Clinic
That sounds pretty comprehensive. Nothing to add to the above and agree that Jboss is the weakest link in that setup... Out of curiosity, what vendor/device did you end up with for WAF (if you feel comfortable revealing that info)? 🙂
Debian linux 9 with Modsecurity, Waf-FLE, and fail2ban
Wow...so you rolled your own 🙂 Awesome! Thanks for pointing me to that - didn't know it even existed.
Is the API being used by anything yet aside from getting the initial connection set up with Virence? Are there any vendors that support it yet? The last I knew, there was literally no support for this, and we customers and Virence are just "checking the box" by making it "available" even though it's really not available.
Thanks,
Wade
The last time I checked there was nothing currently available.
The latest iOS has some more technology in the "health" app and I know google has always been interested in getting a hold of people's health records so I suspect we will see something from those two companies. I would expect that to be a gold mine for them and others data collectors like Facebook and Microsoft.
It looks like the CheckinAsyst guys are working on something too, for CPS 19 at least: