SlideShare a Scribd company logo

apidays LIVE New York 2021 - Playing with FHIR without getting burned by David Stewart, Approov

Download as PPTX, PDF
apidays
apidays

apidays LIVE New York 2021 - API-driven Regulations for Finance, Insurance, and Healthcare July 28 & 29, 2021 Playing with FHIR without getting burned David Stewart, CEO at Approov

1 of 21
Playing with FHIR - Without Getting Burned David Stewart david.stewart@approov.io @approov_io www.approov.io
Agenda ● FHIR/SMART overview ● How to think about API security ● The challenges of securing FHIR APIs and APIs which use FHIR data ● A 5 step plan for success ● Recommendations Note! Special offer for attendees at the end of the presentation...
FHIR/SMART Overview What... https://kms-technology.com/blog/healthcare/21st-century-cures-act-interoperability-summary.html ...and when
Consider Both API Attack Approaches 1. Attack by exploiting a flaw or vulnerability in the app/API itself. 1. Attack by automating app API traffic to impersonate a genuine source. Photo by Giorgio Trovato on Unsplash
The API Security Challenge for Mobile An app limits the range/speed an API can manipulate user data. However, a bot can rapidly manipulate and exfiltrate all your valuable data. In 2020 the average cost of a data breach is $3.86M (Ponemon)
A Complete View of Protecting APIs Attack Surface 1: User Credentials Attack Surface 3: Device Integrity Attack Surface 2: App Integrity Attack Surface 4: API Channel Integrity Attack Surface 5: Service Vulnerabilities https://blog.approov.io/the-mobile-attack-pyramid
SMART on FHIR Direct Architecture
SMART on FHIR Indirect Architecture 3rd Party mHealth Service Provider
Step 1: Block Malicious Bots and Automated Scripts “...it’s imperative to determine if the traffic being ingested into the API is synthetic or human, …. allowing only authentic apps to make API calls.” “77% of the apps tested contained hard-coded API keys, tokens, private keys, and hard-coded usernames and passwords.” https://approov.io/mhealth/hacking/
Step 1: Block Malicious Bots and Automated Scripts New Way: Require apps to prove that they are your live, authentic apps before authorizing API calls. New Result: A good solution rejects all bots and automations while not falsely rejecting any valid app, reducing the risks of data breaches in your business. API breaches due to automated mobile traffic is growing fast and authentication of the app, not just an API key, is needed to block it.
If there is even a small pinhole in the platform security, the fraudsters will find it and exploit it. One example is the use of Cloner Apps by end users to have multiple instances of the same app running on a single mobile device. The use of Cloner Apps opens up some pretty serious security holes, and they should be banned in most cases. Step 2: Reject Apps Running in Compromised Environments https://blog.approov.io/cloner-apps-playing-in-a-shared-sandbox
Step 2: Reject Apps Running in Compromised Environments New Way: Add run time environmental and app integrity checks to platform security. New Result: Platform checks validate an app at installation time. Fraudsters continually push new ways to breach platform security, so procedures must be updated frequently in order to keep your data breach risks low. Frequent run time checks are how to block app manipulation and masked transaction requests which are not caught at install time.
Step 3: Secure API Calls “The truth is, there are no known hacks of TLS 1. Rather, these hackers were successful not due to faulty TLS, but because of a lack of software-quality processes.” “...the main criticism facing TLS is that it can be difficult to use safely in real-world environments.” “...these protocols can only be effective if they’re implemented properly, using proven software-quality processes.” https://www.electronicdesign.com/technologies/embedded-revolution/article/21807252/11-myths-about-tls
Step 3: Secure API Calls New Way: Enhance TLS security to lock down communication between app and service. New Result: Done right, enhanced TLS security is effective at protecting API calls, ensuring your data breach risk drops dramatically since hackers can’t get in the middle of your traffic and continue their attacks. Enhancing TLS security blocks hackers from getting between your app and your service, preventing both the design and execution of attacks.
Step 4: Authorize User Actions in App Context “The analysis shows attackers are culminating lists of open, exposed databases tied to healthcare entities, which are designed to be monetized by selling the data to other hackers.” “Researchers found an offering of ‘500,000 French hospital records’ for sale on the dark web, which were analyzed and found to be authentic. These files contained personally identifiable information on patients, as well as their relationships with providers, pharmacies, and the like. https://healthitsecurity.com/news/dark-web-analysis-healthcare-risks-tied-to-database-leaks-credentials
Step 4: Authorize User Actions in App Context New Way: Bind a specific user authentication with the specific app the user is using, and expire these bound authentications frequently. New Result: Fraud relying on stolen user authentication credentials will only work with short-lived instance-specific app authentication. Assume user and app authentication each reduce fraud by 5x. Binding them together reduces fraud by 25x, instead of just 10x. Combining app and user authentication chokes the scope and velocity of fraudulent transactions.
Step 5: Keep Security Capabilities Up To Date With Emerging Threats “We experienced an attack against one of our API endpoints which caused one of our key features to go Out of Service. As a result we spent many man-days putting in place some in-house security but we knew this was only a band-aid and we would quickly need to find something better.” — Ben Levy, VP Engineering, Temi.
Step 5: Keep Security Capabilities Up To Date With Emerging Threats New Way: Over-the-air security updates. New Result: Allows continuous and instantaneous updates to security features. No need to release a new app. No friction for users. Instant cut in breach risks. Over-the-air security updates allow continuous enhancement of security capabilities against emerging threats without the need to release a new app.
Case Study: Protecting Patient Data While Delivering Agility To Physicians “Approov plugged an immediate hole which pentesting had exposed in our platform, and we calculate that the adoption of Approov will bring us a 10x RoI.” — Tiago Calado, Software Development Mgr, MV. https://approov.io/download/Approov-MV-Story.pdf
SMART on FHIR Anti-Burn Recommendations ● Decide that you don’t want/need to be a security expert ● Understand that API vulnerabilities are not your only API risk profile ● Understand that mobile apps present unique security challenges ● Implement the 5 step plan! ○ Authenticate apps ○ Check device/environment ○ Implement TLS correctly ○ Authorize users in app context ○ Monitor and react to emerging threats
Offer to APIdays NY Attendees ● First 5 to sign up to 30 day free trial ● Find out how much automated traffic you have... ● Additional, Free, Pre-deployment checklist review: ○ Security policies ○ Frontend implementation ○ Backend implementation ○ Pinning implementation ○ Testing strategy ○ Common issues ● Enter code ‘APIdays NY’ into the Any Other Information box https://approov.io/signup david.stewart@approov.io

More Related Content

apidays LIVE New York 2021 - Playing with FHIR without getting burned by David Stewart, Approov

  • 1. Playing with FHIR - Without Getting Burned David Stewart david.stewart@approov.io @approov_io www.approov.io
  • 2. Agenda ● FHIR/SMART overview ● How to think about API security ● The challenges of securing FHIR APIs and APIs which use FHIR data ● A 5 step plan for success ● Recommendations Note! Special offer for attendees at the end of the presentation...
  • 4. Consider Both API Attack Approaches 1. Attack by exploiting a flaw or vulnerability in the app/API itself. 1. Attack by automating app API traffic to impersonate a genuine source. Photo by Giorgio Trovato on Unsplash
  • 5. The API Security Challenge for Mobile An app limits the range/speed an API can manipulate user data. However, a bot can rapidly manipulate and exfiltrate all your valuable data. In 2020 the average cost of a data breach is $3.86M (Ponemon)
  • 6. A Complete View of Protecting APIs Attack Surface 1: User Credentials Attack Surface 3: Device Integrity Attack Surface 2: App Integrity Attack Surface 4: API Channel Integrity Attack Surface 5: Service Vulnerabilities https://blog.approov.io/the-mobile-attack-pyramid
  • 7. SMART on FHIR Direct Architecture
  • 8. SMART on FHIR Indirect Architecture 3rd Party mHealth Service Provider
  • 9. Step 1: Block Malicious Bots and Automated Scripts “...it’s imperative to determine if the traffic being ingested into the API is synthetic or human, …. allowing only authentic apps to make API calls.” “77% of the apps tested contained hard-coded API keys, tokens, private keys, and hard-coded usernames and passwords.” https://approov.io/mhealth/hacking/
  • 10. Step 1: Block Malicious Bots and Automated Scripts New Way: Require apps to prove that they are your live, authentic apps before authorizing API calls. New Result: A good solution rejects all bots and automations while not falsely rejecting any valid app, reducing the risks of data breaches in your business. API breaches due to automated mobile traffic is growing fast and authentication of the app, not just an API key, is needed to block it.
  • 11. If there is even a small pinhole in the platform security, the fraudsters will find it and exploit it. One example is the use of Cloner Apps by end users to have multiple instances of the same app running on a single mobile device. The use of Cloner Apps opens up some pretty serious security holes, and they should be banned in most cases. Step 2: Reject Apps Running in Compromised Environments https://blog.approov.io/cloner-apps-playing-in-a-shared-sandbox
  • 12. Step 2: Reject Apps Running in Compromised Environments New Way: Add run time environmental and app integrity checks to platform security. New Result: Platform checks validate an app at installation time. Fraudsters continually push new ways to breach platform security, so procedures must be updated frequently in order to keep your data breach risks low. Frequent run time checks are how to block app manipulation and masked transaction requests which are not caught at install time.
  • 13. Step 3: Secure API Calls “The truth is, there are no known hacks of TLS 1. Rather, these hackers were successful not due to faulty TLS, but because of a lack of software-quality processes.” “...the main criticism facing TLS is that it can be difficult to use safely in real-world environments.” “...these protocols can only be effective if they’re implemented properly, using proven software-quality processes.” https://www.electronicdesign.com/technologies/embedded-revolution/article/21807252/11-myths-about-tls
  • 14. Step 3: Secure API Calls New Way: Enhance TLS security to lock down communication between app and service. New Result: Done right, enhanced TLS security is effective at protecting API calls, ensuring your data breach risk drops dramatically since hackers can’t get in the middle of your traffic and continue their attacks. Enhancing TLS security blocks hackers from getting between your app and your service, preventing both the design and execution of attacks.
  • 15. Step 4: Authorize User Actions in App Context “The analysis shows attackers are culminating lists of open, exposed databases tied to healthcare entities, which are designed to be monetized by selling the data to other hackers.” “Researchers found an offering of ‘500,000 French hospital records’ for sale on the dark web, which were analyzed and found to be authentic. These files contained personally identifiable information on patients, as well as their relationships with providers, pharmacies, and the like. https://healthitsecurity.com/news/dark-web-analysis-healthcare-risks-tied-to-database-leaks-credentials
  • 16. Step 4: Authorize User Actions in App Context New Way: Bind a specific user authentication with the specific app the user is using, and expire these bound authentications frequently. New Result: Fraud relying on stolen user authentication credentials will only work with short-lived instance-specific app authentication. Assume user and app authentication each reduce fraud by 5x. Binding them together reduces fraud by 25x, instead of just 10x. Combining app and user authentication chokes the scope and velocity of fraudulent transactions.
  • 17. Step 5: Keep Security Capabilities Up To Date With Emerging Threats “We experienced an attack against one of our API endpoints which caused one of our key features to go Out of Service. As a result we spent many man-days putting in place some in-house security but we knew this was only a band-aid and we would quickly need to find something better.” — Ben Levy, VP Engineering, Temi.
  • 18. Step 5: Keep Security Capabilities Up To Date With Emerging Threats New Way: Over-the-air security updates. New Result: Allows continuous and instantaneous updates to security features. No need to release a new app. No friction for users. Instant cut in breach risks. Over-the-air security updates allow continuous enhancement of security capabilities against emerging threats without the need to release a new app.
  • 19. Case Study: Protecting Patient Data While Delivering Agility To Physicians “Approov plugged an immediate hole which pentesting had exposed in our platform, and we calculate that the adoption of Approov will bring us a 10x RoI.” — Tiago Calado, Software Development Mgr, MV. https://approov.io/download/Approov-MV-Story.pdf
  • 20. SMART on FHIR Anti-Burn Recommendations ● Decide that you don’t want/need to be a security expert ● Understand that API vulnerabilities are not your only API risk profile ● Understand that mobile apps present unique security challenges ● Implement the 5 step plan! ○ Authenticate apps ○ Check device/environment ○ Implement TLS correctly ○ Authorize users in app context ○ Monitor and react to emerging threats
  • 21. Offer to APIdays NY Attendees ● First 5 to sign up to 30 day free trial ● Find out how much automated traffic you have... ● Additional, Free, Pre-deployment checklist review: ○ Security policies ○ Frontend implementation ○ Backend implementation ○ Pinning implementation ○ Testing strategy ○ Common issues ● Enter code ‘APIdays NY’ into the Any Other Information box https://approov.io/signup david.stewart@approov.io