1upHealth won 1st place in Phase 2 of the Secure FHIR Server Challenge! This part of the challenge involved hacking the Phase 1 winner's open source FHIR server. Our exploits allowed anyone to read anyone else's (another developer or another patient) data for however long they want. That would obviously be a significant issue if this was on a production system. Here's what we learned. Developers should not build their own OAuth2 implementation. Use something open source or an API gateway off the shelf. Those solutions have been battle tested by thousands of people. The FHIR server logic is only a small part of the full security model. Most of the security should be in the first layer which doles out keys to access data like the OAuth2 implementation.
Our process involved looking through the code and running the application locally, other off the shelf tools are not specific enough to do penetration testing. All the vulnerabilities were discovered in the FHIR Server's code, specifically the OAuth2 implementation by the FHIR server. For those of you wanting to see details, here's all the code we used to break into the FHIR server.
At 1upHealth we do our best to maintain high security on our FHIR API server. We do not write any of our own security layers, instead we use proven and tested security solutions from much larger communities and organizations. In addition to that we have both off the shelf and custom automated tests to ensure any updates do not compromise security on our FHIR server.