OAuth2 for Healthcare: Are we ready?

Last weekend I got an email asking whether OAuth 2.0 is ready to deploy for healthcare. Given SMART’s use on OAuth 2.0, I think so! Here’s the exchange…

The question I received

 

I realize that the big news is the NPRMs being released, but one thing that I have been interested in is the big push for using OAuth 2.0 with newer standards (primarily FHIR related), and the known vulnerabilities in OAuth2.0.

I realize that HL7’s security Workgroup has experts and the other organizations consult experts (and I’m certainly not questioning the work they have done in this area) , but considering we are talking about healthcare data – it seems that it might have raised at least a few eyebrows and would have been addressed more openly.

Below are just a few links that explain.  I do not know how many – if any – of these vulnerabilities have been resolved since these were printed.

I just thought this was interesting…

http://www.darkreading.com/security-flaw-found-in-oauth-20-and-openid-third-party-authentication-at-risk/d/d-id/1235062

http://tetraph.com/covert_redirect/oauth2_openid_covert_redirect.html

http://www.oauthsecurity.com/

http://www.cnet.com/news/serious-security-flaw-in-oauth-and-openid-discovered/

My executive summary-level response:

There have been many reports of flawed OAuth 2.0 implementations, but there have not been security vulnerabilities identified in the OAuth 2.0 framework itself.  The community is constantly improving on best practices that help developers avoid implementation pitfalls.  There are already real-world OAuth 2.0 deployments in healthcare.

My more detailed take:

The overall system security of an OAuth 2.0 implementation depends critically on a substantial number of implementation details (as with any reasonably-capable authorization framework). The core OAuth 2.0 spec is accompanied by a “Threat Model and Security Considerations” document (RFC 6819) outlining many risks; and other groups have performed related analyses. The bottom line is that a robust implementation of OAuth 2.0 must account for these risks and ensure that appropriate mitigations are in place.

Sensational headlines in the blogosophere generally identify places where an individual implementer got some of these details wrong. In large measure, we’ve seen so many of these stories simply because OAuth 2.0 is so widely deployed — not because it’s so deeply flawed. (Now, we can argue that a well-designed security protocol should protect implementers from all kinds of mistakes — and that’s fair. But the collective community experience in identifying these threats, learning how things go wrong, memorializing the understanding in clearer recommendations and more-capable reference software implementations is exactly how that protection emerges.) At the end of the day, Microsoft, Google, Facebook, Twitter, Salesforce, and many, many more players (large and small) offer, promote, and continue to expand their OAuth 2.0 deployments.

With respect to health IT, there is ongoing work to define profiles of OAuth 2.0 that promote best practices and avoid common pitfalls. Three examples are:

MITRE’s OAuth 2.0 profiles created for VA:

SMART on FHIR’s profiles for EHR plug-in apps

OpenID Foundation’s Health Relationship Trust (HEART) Workgroup:

Commercial health IT vendors have already deployed OAuth 2.0 implementations, and I expect we’ll see many more in the near future.

RFP Language for Buying SMART-Compatible HIT

SMART Platform (www.smarthealthit.org) is a project that lays the groundwork for a more flexible approach to sourcing health information technology tools. Like Apple and Android’s app stores, SMART creates the means for developers to create and for health systems and providers to easily deploy third-party applications in tandem with their existing electronic health record, data warehouse, or health information exchange platforms.

To deploy SMART-enabled applications, health systems must ensure that their existing health information technology infrastructure supports the SMART on FHIR API. The SMART on FHIR starter set detailed below lists the minimum requirements for supporting the API and SMART-enabled applications. You may wish to augment this list of minimum requirements with suggestions from the Add-On Functionality listed depending on the types of applications your organization wishes to deploy.
Continue reading “RFP Language for Buying SMART-Compatible HIT”

SMART Advice on JASON (and PCAST)

As architect for SMART Platforms and community lead for the Blue Button REST API, I’m defining open APIs for health data that spark innovation in patient care, consumer empowerment, clinical research. So I was very pleased last month at an invitation to join a newly-formed Federal Advisory Committee called the JASON Task Force, helping ONC respond to the JASON Report (“A Robust Health Data Infrastructure”).

We’re charged with making recommendations to ONC about how to proceed toward building practical, broad-reaching interoperability in Meaningful Use Stage 3 and beyond. Our committee is still meeting and forming recommendations throughout the summer and into the fall, but I wanted to share my initial thoughts on the scope of the problem; where we are today; and how we can make real progress as we move forward.

Continue reading “SMART Advice on JASON (and PCAST)”

Advisory Committee Kickoff a Success

The SMART Advisory Committee had a high-energy kickoff meeting on May 15. Below are some scenes from the day, which featured presentations by Joshua Mandel and Clayton Christensen as well as demonstrations of apps to be deployed in the near future.
Continue reading “Advisory Committee Kickoff a Success”

Aneesh Chopra’s New Book Points to Launch of SMART Project

Aneesh Chopra, America’s first Chief Technology Officer and member of the SMART Platforms Advisory Committee, has published a new book called Innovative State: How New Technologies Can Transform Government. The SMART Project’s kickoff ITdotHealth meeting in 2009 is among the formative events he describes in Chapter 4, “Opening the Playbook.” Here he is seen with Ken Mandl at the Harvard Book Store, where he discussed the book on May 21. A video of the talk is provided by WGBH.

Ken-and-Aneesh-post

Introducing the SMART Advisory Committee

Our new advisory committee, made up of member organizations with strategic interest in transforming how the healthcare enterprise uses data, will play a critical role in guiding the SMART Platform toward broad adoption and use.

Learn more

SMART Advisory Committee

The Power of Shared Data

SMART, i2b2, and other open-source technologies made possible by the federal $48B investment in health IT will soon be used as the foundation of SCILHS: the Scalable Collaborative Infrastructure for a Learning Health System. Read the full report from the Harvard Medical School news office.

Based at Harvard Medical School and operating out of 10 health care sites from Massachusetts to Texas, SCILHS will be one of 29 networks in the national Patient-Centered Clinical Research Network (PCORnet). Pictured below are members of the network who made it through the snow to attend the official kickoff meeting held January 22–23 in Washington, D.C.

PCORnet Kickoff Attendees

C-CDA Endoscopy, or
Improving Clinical Document Exchange

SMART C-CDA infographic -- click to enlarge
Click infographic for full-size PDF

By David Kreda and Joshua Mandel

2014 will see wide-scale production and exchange of Consolidated CDA documents among healthcare providers. Indeed, live production of C-CDAs is already underway for anyone using a Meaningful Use 2014 certified EHR. C-CDA documents fuel several aspects of meaningful use, including transitions of care and patient-facing download and transmission.

This impending deluge of documents represents a huge potential for interoperability, but it also presents substantial technical challenges. We forecast these challenges with unusual confidence because of what we learned during the SMART C-CDA Collaborative, an eight-month project conducted with 22 EHR and HIT vendors.

Continue reading “C-CDA Endoscopy, or
Improving Clinical Document Exchange”

PCORI Award Will Support SMART/i2b2 Efforts Toward a Learning Health System

The Patient-Centered Outcomes Research Institute (PCORI) announced today that it will fund an exciting new venture for SMART and collaborators. The Scalable Collaborative Infrastructure for a Learning Health System—SCILHS (pronounced “Skills”)—will use SMART-enabled i2b2 at the following ten sites to help build a National Patient-Centered Clinical Research Network:

Continue reading “PCORI Award Will Support SMART/i2b2 Efforts Toward a Learning Health System”

Our First Foray into Health Foo

josh-ken-healthfoo-DSC02925Josh Mandel (left) and Ken Mandl took the opportunity at this past weekend’s Health Foo (friends of O’Reilly) 2013 to exchange ideas about SMART, APIs, health data, and more. Like many of the unconference-style breakout sessions, theirs attracted a small group geared up for a more intimate and spontaneous discussion than the average healthcare/HIT conference. The talk also got a boost from the participation of thought leaders such as Tim O’Reilly, founder of O’Reilly Media and host of the original Foo Camps from which Health Foo evolved; and John Lumpkin, Director of the Health Care Group at Robert Wood Johnson Foundation, which funded the event.

It may be held indoors at the NERD Center, but as the bare feet in this photo’s background suggest, Health Foo still manages to retain the campground flair of its predecessors—complete with drummingdancingmicrobiome sharing, and Smart Bell-ing. For more highlights, see Wen Dombrowski’s whole Storify recap.