Welcome to the NEW CHUG— your ultimate destination for cutting-edge insights and discussions at the intersection of healthcare and technology.

Our platform is dedicated to exploring the dynamic landscape of healthcare technology, empowering professionals, enthusiasts, and innovators alike with the knowledge and resources to navigate the rapidly evolving field.

From telemedicine revolutionizing patient care to the transformative potential of artificial intelligence in diagnostics, we delve into a myriad of topics shaping the future of healthcare delivery. Whether you’re a seasoned healthcare IT professional, an aspiring entrepreneur in the digital health space, or simply curious about the latest innovations, our curated content, expert interviews, and thought-provoking articles provide a comprehensive exploration of healthcare technology’s most pressing issues.

Join us as we navigate the forefront of innovation, driving forward the transformation of healthcare for a healthier, more connected world.

Have questions or suggestions? Please use the contact button below.

Notifications

Clear all

API security concerns/discussion

MU, CQR, PQRS, etc.

Last Post by Anonymous 1 second ago

6 Posts

3 Users

0 Reactions

134 Views

RSS

tnc

(@tnc)

Posts: 517

Honorable Member

Topic starter

Since October 1 has come and gone I am assuming most of us have implemented the API B2C for CCDA 2.1. I have but I would like to know what everyone else has done to try to secure things. My apprehension in doing this project is the fact that we are putting our Jboss server on the internet because that is the only way to get the FHIR server there. We were told to use a WAF (Web Application Firewall) to secure things and we did. I even built an Interop server to have some isolation but that is about it. The WAF, I suppose, is looking for strange traffic which could be malicious. Strange traffic, in my opinion, would be out of band data, brute force type attacks, impersonation, etc. A good hacker would make his traffic get through the WAF so that he could get to hacking the next piece of security. As I worked on this project I realized that we are on an older implementation of Jboss which is EAP 6.x. Jboss EAP 7.2 is now in beta, with EAP 7 already being several years old so we are possibly out of date. To my knowledge we only update Jboss during version upgrades and maybe service pack upgrade. I certainly update Windows but I can not update Jboss without possibly breaking something or becoming "unsupported". I think any "achilles heel" here would be Jboss.

I always see traffic from all over the world and I do block China, Russia, Ukraine, Brazil and the other offenders I see regularly but there is nothing stopping the bad guys from renting some AWS clouds to do their dirty work anyway. I do not know if we need to keep access to these countries to get credit for the API rule so I haven't blocked any countries yet. I do have some other countermeasures in place but that really only prevents the most obvious bots/hackers.

Edit: I wanted to add that I had discussions with many support people about this stuff and some of them said things like "talk to your security people" and "we don't dictate how you should do this" as some of the support people spoke like lawyers. Well, I do the security for the organization as well as many other things and I have questions. Everything I have ever put on the web was designed to be there, like web servers, email, patient portal, VPNs, etc. This implementation is an add-on to what we have used for many years and that is new to me, especially since we are ultimately responsible.

Have any of you implemented additional counter measures?

Mike Zavolas
Tallahassee Neurological Clinic

Posted : October 3, 2019 1:26 am

tdimitrov

(@tdimitrov)

Posts: 43

Eminent Member

That sounds pretty comprehensive. Nothing to add to the above and agree that Jboss is the weakest link in that setup... Out of curiosity, what vendor/device did you end up with for WAF (if you feel comfortable revealing that info)? 🙂

Posted : October 3, 2019 2:41 am

tnc

(@tnc)

Posts: 517

Honorable Member

Topic starter

Debian linux 9 with Modsecurity, Waf-FLE, and fail2ban

Posted : October 3, 2019 3:36 am

tdimitrov

(@tdimitrov)

Posts: 43

Eminent Member

Wow...so you rolled your own 🙂 Awesome! Thanks for pointing me to that - didn't know it even existed.

Posted : October 3, 2019 3:48 am

[email protected]

(@wadelanhamhotmail-com)

Posts: 34

Eminent Member

Is the API being used by anything yet aside from getting the initial connection set up with Virence? Are there any vendors that support it yet? The last I knew, there was literally no support for this, and we customers and Virence are just "checking the box" by making it "available" even though it's really not available.

Thanks,
Wade

Posted : October 16, 2019 3:32 am

tnc

(@tnc)

Posts: 517

Honorable Member

Topic starter

The last time I checked there was nothing currently available.

The latest iOS has some more technology in the "health" app and I know google has always been interested in getting a hold of people's health records so I suspect we will see something from those two companies. I would expect that to be a gold mine for them and others data collectors like Facebook and Microsoft.

It looks like the CheckinAsyst guys are working on something too, for CPS 19 at least:

https://forum.centricityusers.com/forum/healthasyst-cps-19-fhir-integration-with-checkinasyst-we-need-your-helpresponse/

Posted : October 16, 2019 8:13 am

Share:

24 Forums
9,940 Topics
39.9 K Posts
4 Online
6,470 Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed

Powered by wpForo Powered by wpForo version 2.4.0