ONC Announces Secure API Server Showdown Challenge

The Office of the National Coordinator for Health IT (ONC) has announced a new challenge that will invite interested stakeholders to build secure FHIR servers using current industry standards and best practices.

In a blog post announcement, ONC introduced the Secure API Server Showdown Challenge, which aims to identify unknown security vulnerabilities in the way open source FHIR servers are implemented, and will result in a hardened code base from which all stakeholders can benefit as they deploy FHIR servers in the future.

The post, from Steven Posnack, director, office of standards and technology, ONC, noted that the Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) standard was released as a first draft standard for trial use in 2014 for implementation in health IT software. Posnack wrote that, “FHIR standard’s security page notes, however, that FHIR ‘is not a security protocol, nor does it define any security related functionality’ so it needs to be paired with appropriate security standards when it comes to deploying, for example, a production-grade FHIR server.”

To this point, Posnack said that many security standards already exist for web services and can be applied to FHIR. Specific to health IT, the Argonaut Project’s Data Query Implementation Guide, being deployed by many health IT developers, points to the SMART APP Authorization Guide for its security layer. “Implementing security in health IT is necessary and some of the specifications are not for the faint-hearted, but it’s important that the industry gets as much experience as possible when deploying secure, FHIR servers,” he wrote.

As such, ONC’s challenge will include two stages. In the first stage, participants will each develop and submit for judging a secured FHIR server. Three winning servers will be chosen to advance to the second stage, where they will face teams of security minded people vying to find security vulnerabilities, according to Posnack.