apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare July 28 & 29, 2021 Playing with FHIR without getting burned David Stewart, CEO at Approov

1. Playing with FHIR
- Without Getting Burned
David Stewart
david.stewart@approov.io
@approov_io
www.approov.io

2. Agenda
● FHIR/SMART overview
● How to think about API security
● The challenges of securing FHIR APIs and APIs which use FHIR data
● A 5 step plan for success
● Recommendations
Note! Special offer for attendees at the end of the presentation...

3. FHIR/SMART Overview
What...
https://kms-technology.com/blog/healthcare/21st-century-cures-act-interoperability-summary.html
...and when

4. Consider Both API Attack Approaches
1. Attack by exploiting a
flaw or vulnerability
in the app/API itself.
1. Attack by automating
app API traffic to
impersonate a
genuine source.
Photo by Giorgio Trovato on Unsplash

5. The API Security Challenge for Mobile
An app limits the range/speed an
API can manipulate user data.
However, a bot can rapidly
manipulate and exfiltrate all your
valuable data.
In 2020 the average cost of a data breach is
$3.86M (Ponemon)

6. A Complete View of Protecting APIs
Attack Surface 1:
User Credentials
Attack Surface 3:
Device Integrity
Attack Surface 2:
App Integrity
Attack Surface 4:
API Channel Integrity
Attack Surface 5:
Service Vulnerabilities
https://blog.approov.io/the-mobile-attack-pyramid

7. SMART on FHIR Direct Architecture

8. SMART on FHIR Indirect Architecture
3rd Party mHealth Service Provider

9. Step 1: Block Malicious Bots and Automated Scripts
“...it’s imperative to determine if
the traffic being ingested into
the API is synthetic or human,
…. allowing only authentic apps
to make API calls.”
“77% of the apps tested
contained hard-coded API
keys, tokens, private keys, and
hard-coded usernames and
passwords.” https://approov.io/mhealth/hacking/

10. Step 1: Block Malicious Bots and Automated Scripts
New Way: Require apps to prove that they are your live, authentic apps before
authorizing API calls.
New Result: A good solution rejects all bots and automations while not falsely
rejecting any valid app, reducing the risks of data breaches in your business.
API breaches due to automated mobile traffic is growing fast and authentication
of the app, not just an API key, is needed to block it.

11. If there is even a small pinhole in the
platform security, the fraudsters will
find it and exploit it. One example is
the use of Cloner Apps by end users
to have multiple instances of the
same app running on a single mobile
device. The use of Cloner Apps
opens up some pretty serious security
holes, and they should be banned in
most cases.
Step 2: Reject Apps Running in Compromised
Environments
https://blog.approov.io/cloner-apps-playing-in-a-shared-sandbox

12. Step 2: Reject Apps Running in Compromised
Environments
New Way: Add run time environmental and app integrity checks to
platform security.
New Result: Platform checks validate an app at installation time.
Fraudsters continually push new ways to breach platform security, so
procedures must be updated frequently in order to keep your data breach
risks low.
Frequent run time checks are how to block app manipulation and masked
transaction requests which are not caught at install time.

13. Step 3: Secure API Calls
“The truth is, there are no known
hacks of TLS 1. Rather, these
hackers were successful not due
to faulty TLS, but because of a
lack of software-quality
processes.”
“...the main criticism facing TLS is
that it can be difficult to use safely
in real-world environments.”
“...these protocols can only be effective if they’re implemented
properly, using proven software-quality processes.”
https://www.electronicdesign.com/technologies/embedded-revolution/article/21807252/11-myths-about-tls

14. Step 3: Secure API Calls
New Way: Enhance TLS security to lock down communication between
app and service.
New Result: Done right, enhanced TLS security is effective at protecting
API calls, ensuring your data breach risk drops dramatically since hackers
can’t get in the middle of your traffic and continue their attacks.
Enhancing TLS security blocks hackers from getting between your app
and your service, preventing both the design and execution of attacks.

15. Step 4: Authorize User Actions in App Context
“The analysis shows attackers are culminating
lists of open, exposed databases tied to
healthcare entities, which are designed to be
monetized by selling the data to other hackers.”
“Researchers found an offering
of ‘500,000 French hospital
records’ for sale on the dark
web, which were analyzed and
found to be authentic. These
files contained personally
identifiable information on
patients, as well as their
relationships with providers,
pharmacies, and the like.
https://healthitsecurity.com/news/dark-web-analysis-healthcare-risks-tied-to-database-leaks-credentials

16. Step 4: Authorize User Actions in App Context
New Way: Bind a specific user authentication with the specific app the
user is using, and expire these bound authentications frequently.
New Result: Fraud relying on stolen user authentication credentials will
only work with short-lived instance-specific app authentication. Assume
user and app authentication each reduce fraud by 5x. Binding them
together reduces fraud by 25x, instead of just 10x.
Combining app and user authentication chokes the scope and velocity of
fraudulent transactions.

17. Step 5: Keep Security Capabilities Up To Date With
Emerging Threats
“We experienced an attack against one of our API
endpoints which caused one of our key features to go
Out of Service. As a result we spent many man-days
putting in place some in-house security but we knew
this was only a band-aid and we would quickly need
to find something better.”
— Ben Levy, VP Engineering, Temi.

18. Step 5: Keep Security Capabilities Up To Date With
Emerging Threats
New Way: Over-the-air security updates.
New Result: Allows continuous and instantaneous updates to security
features. No need to release a new app. No friction for users. Instant cut in
breach risks.
Over-the-air security updates allow continuous enhancement of security
capabilities against emerging threats without the need to release a new app.

19. Case Study:
Protecting Patient Data While Delivering Agility To Physicians
“Approov plugged an immediate hole which
pentesting had exposed in our platform, and
we calculate that the adoption of Approov
will bring us a 10x RoI.”
— Tiago Calado, Software Development Mgr, MV.
https://approov.io/download/Approov-MV-Story.pdf

20. SMART on FHIR Anti-Burn Recommendations
● Decide that you don’t want/need to be a security expert
● Understand that API vulnerabilities are not your only API risk profile
● Understand that mobile apps present unique security challenges
● Implement the 5 step plan!
○ Authenticate apps
○ Check device/environment
○ Implement TLS correctly
○ Authorize users in app context
○ Monitor and react to emerging threats

21. Offer to APIdays NY Attendees
● First 5 to sign up to 30 day free trial
● Find out how much automated traffic you have...
● Additional, Free, Pre-deployment checklist review:
○ Security policies
○ Frontend implementation
○ Backend implementation
○ Pinning implementation
○ Testing strategy
○ Common issues
● Enter code ‘APIdays NY’ into the Any Other Information box
https://approov.io/signup david.stewart@approov.io