OAuth2 for Healthcare: Are we ready?

Mar25

Last weekend I got an email asking whether OAuth 2.0 is ready to deploy for healthcare. Given SMART’s use on OAuth 2.0, I think so! Here’s the exchange…

The question I received

 

I realize that the big news is the NPRMs being released, but one thing that I have been interested in is the big push for using OAuth 2.0 with newer standards (primarily FHIR related), and the known vulnerabilities in OAuth2.0.

I realize that HL7’s security Workgroup has experts and the other organizations consult experts (and I’m certainly not questioning the work they have done in this area) , but considering we are talking about healthcare data – it seems that it might have raised at least a few eyebrows and would have been addressed more openly.

Below are just a few links that explain.  I do not know how many – if any – of these vulnerabilities have been resolved since these were printed.

I just thought this was interesting…

http://www.darkreading.com/security-flaw-found-in-oauth-20-and-openid-third-party-authentication-at-risk/d/d-id/1235062

http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

http://www.oauthsecurity.com/

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

My executive summary-level response:

There have been many reports of flawed OAuth 2.0 implementations, but there have not been security vulnerabilities identified in the OAuth 2.0 framework itself.  The community is constantly improving on best practices that help developers avoid implementation pitfalls.  There are already real-world OAuth 2.0 deployments in healthcare.

My more detailed take:

The overall system security of an OAuth 2.0 implementation depends critically on a substantial number of implementation details (as with any reasonably-capable authorization framework). The core OAuth 2.0 spec is accompanied by a “Threat Model and Security Considerations” document (RFC 6819) outlining many risks; and other groups have performed related analyses. The bottom line is that a robust implementation of OAuth 2.0 must account for these risks and ensure that appropriate mitigations are in place.

Sensational headlines in the blogosophere generally identify places where an individual implementer got some of these details wrong. In large measure, we’ve seen so many of these stories simply because OAuth 2.0 is so widely deployed — not because it’s so deeply flawed. (Now, we can argue that a well-designed security protocol should protect implementers from all kinds of mistakes — and that’s fair. But the collective community experience in identifying these threats, learning how things go wrong, memorializing the understanding in clearer recommendations and more-capable reference software implementations is exactly how that protection emerges.) At the end of the day, Microsoft, Google, Facebook, Twitter, Salesforce, and many, many more players (large and small) offer, promote, and continue to expand their OAuth 2.0 deployments.

With respect to health IT, there is ongoing work to define profiles of OAuth 2.0 that promote best practices and avoid common pitfalls. Three examples are:

MITRE’s OAuth 2.0 profiles created for VA:

SMART on FHIR’s profiles for EHR plug-in apps

OpenID Foundation’s Health Relationship Trust (HEART) Workgroup:

Commercial health IT vendors have already deployed OAuth 2.0 implementations, and I expect we’ll see many more in the near future.

Ebola in the United States: EHRs as a Public Health Tool at the Point of Care

Oct21

screenshot of PDF

What if, in the midst of a crisis, the CDC could distribute a SMART app to emergency departments as easily as a software developer submits an app to the Apple App Store?

JAMA Article (free)

RFP Language for Buying SMART-Compatible HIT

Oct06

SMART Platform (www.smarthealthit.org) is a project that lays the groundwork for a more flexible approach to sourcing health information technology tools. Like Apple and Android’s app stores, SMART creates the means for developers to create and for health systems and providers to easily deploy third-party applications in tandem with their existing electronic health record, data warehouse, or health information exchange platforms.

To deploy SMART-enabled applications, health systems must ensure that their existing health information technology infrastructure supports the SMART on FHIR API. The SMART on FHIR starter set detailed below lists the minimum requirements for supporting the API and SMART-enabled applications. You may wish to augment this list of minimum requirements with suggestions from the Add-On Functionality listed depending on the types of applications your organization wishes to deploy.
Read more

C-CDAs — What are they good for?

Sep16

David Kreda, SMART Translation Advisor
Joshua Mandel, SMART Lead Architect

Some readers of our JAMIA paper “Are Meaningful Use Stage 2 certified EHRs ready for Interoperability?” have wondered if we were insinuating that C-CDAs are all but useless because of their heterogeneity and other defects.

We did not say that.
Read more

Certification/MU tweaks to support patient subscriptions

Sep15

This is a quick description of the minimum requirements to turn patient-mediated “transmit” into a usable system for feeding clinical data to a patient’s preferred endpoints. In my blog post last month, I described a small, incremental “trust tweak” asking ONC and CMS to converge on the Blue Button Patient Trust Bundle, so that any patient anywhere has the capability to send data to any app in the bundle.

This proposal builds on that initial tweak. I should be clear that the ideas here aren’t novel: they borrow very clearly from the Blue Button+ Direct implementation guide (which is not part of certification or MU — but aspects of it ought to be).

Read more

Health App Privacy Policies Still Wild Frontier

Aug29

Apple may have just tightened privacy requirements for developers who build apps on its HealthKit platform. But a broad assessment of the industry, published online last week in JAMIA, found that the iTunes and Google Play stores have a long way to go before such policies are readily discoverable and digestible to app users.

Improving patient access: small steps and patch-ups

Aug26

In a blog post earlier this month, I advocated for ONC and CMS to adopt a grand scheme to improve patient data access through the SMART on FHIR API. Here, I’ll advocate for a very small scheme that ignores some of the big issues, but aims to patch up one of the most broken aspects of today’s system.

The problem: patient-facing “transmit” is broken

Not to mince words: ONC’s certification program and CMS’s attestation program are out of sync on patient access. As a result, patient portals don’t offer reliable “transmit” capabilities.

2014-certified EHR systems must demonstrate support for portal-based Direct message transmission, but providers don’t need to make these capabilities available for patients in real life. Today, two loopholes prevent patient access:
Read more

SMART Advice on JASON (and PCAST)

Aug11

As architect for SMART Platforms and community lead for the Blue Button REST API, I’m defining open APIs for health data that spark innovation in patient care, consumer empowerment, clinical research. So I was very pleased last month at an invitation to join a newly-formed Federal Advisory Committee called the JASON Task Force, helping ONC respond to the JASON Report (“A Robust Health Data Infrastructure”).

We’re charged with making recommendations to ONC about how to proceed toward building practical, broad-reaching interoperability in Meaningful Use Stage 3 and beyond. Our committee is still meeting and forming recommendations throughout the summer and into the fall, but I wanted to share my initial thoughts on the scope of the problem; where we are today; and how we can make real progress as we move forward.

Read more

It’s About Time: Open APIs Finally Burst onto Healthcare’s Sluggish Scene

Jun09


Nuviun Blog, June 9, 2014 — Sue Montgomery
In the midst of the struggles that we face with interoperability, efforts that support open API use may well hold the keys to the HIT Kingdom…
READ MORE >

Advisory Committee Kickoff a Success

Jun09

The SMART Advisory Committee had a high-energy kickoff meeting on May 15. Below are some scenes from the day, which featured presentations by Joshua Mandel and Clayton Christensen as well as demonstrations of apps to be deployed in the near future.
Read more

Sidebar