You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Current »

Full Challenge Website

Overview

The Secure API Server Showdown Challenge (the “Challenge”) invites interested stakeholders to build a secure, Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®)[1] server using current industry technical standards, best practices, and recently issued healthcare-specific implementation guide requirements, including the Substitutable Medical Apps, Reusable Technology (SMART) on FHIR App Authorization technical requirements as specified in the Argonaut Data Query Implementation Guide Version 1.0.0[2].  The Prize Competition will consist of two stages: the Server Build Stage (“Stage 1”) and the Vulnerability Discovery Stage (“Stage 2”), which will include two tracks (a “Server Track” and a “Discovery Track”).

Stage 1 participants will need to develop a secure FHIR server that will ultimately have its source code made publicly available via open source. A maximum of 3 teams’ FHIR servers will be selected as Stage 1 winners based on technical judging criteria and their availability to participate in Stage 2. If a Stage 1 winner is unable to commit to completing the entirety of Stage 2’s “Server Track,” then an alternate Stage 1 winner will be selected for Stage 2’s Server Track. Additionally, Stage 1 winners are ineligible to participate in Stage 2’s Discovery Track. Stage 2’s Discovery Track will be a team-based competition that will award cash prizes based on the identification of “in-scope” security vulnerabilities found in the open source FHIR servers. At the end of Stage 2, all of the confirmed security vulnerabilities will be made public to encourage the industry to update the open source FHIR servers. ONC will be responsible for oversight and management of the competition in its entirety.

The purpose of this prize competition is to stimulate industry investment and engagement in the deployment of “secure” FHIR servers. In addition, we expect that this competition will help identify potentially unknown security flaws in the code used to operate FHIR servers in industry, as well as reinforce the value of following identified technical security best practices. Further, upon its completion, we expect that stakeholders will have greater access to secure, open source FHIR servers that have had their code base further hardened through this competition’s team-based testing. Ultimately, our goal is to see “ready to use”/“turn-key” secure, FHIR server code that meets the SMART on FHIR App Authorization technical requirements and on which industry stakeholders can build.

[1] http://hl7.org/fhir/

[2] http://www.fhir.org/guides/argonaut/r2/

$50,000 in prizes

The Office of the National Coordinator for Health Information Technology (ONC) is pleased to announce the Secure API Server Showdown Challenge, which invites interested stakeholders to build a secure, FHIR server using current industry standards, best practices, and recently issued healthcare-specific implementation guide requirements.

Winner Announcement:

The Department of Health and Humans Services Office of the National Coordinator for Health Information Technology (ONC) has selected Asymmetrik as the Stage 1 winner of the Secure API Server Showdown Challenge. They will deploy and maintain their FHIR server in a test environment provided by ONC throughout the duration of Stage 2’s Server Track and will be eligible to receive $10,000 at the conclusion of the Challenge. The goal of Stage 2 is to further harden the open source FHIR server by enabling dedicated testing of the security components by the participants.

Challenge Rules Clarification:

In order to qualify for a prize, the Stage 2 teams MUST find confirmed vulnerabilities in the FHIR server. Teams will not automatically place in the top 3 and qualify for a prize if no confirmed vulnerabilities are found by the Stage 2 participants.

The Challenge timeline and dates have been changed to accommodate the number of participants. Please see the “Challenge Timeline” section below for the updated schedule.

Challenge Timeline:

Stage 1:

  • Submission Period: October 10, 2017 – January 15, 2018 (by 11:59 p.m. EST)
  • Winners Notified: February 5, 2018 (by 11:59 p.m. EST)
  • Winners Announced: February 6, 2018 (by 11:59 p.m. EST)

Stage 2:

  • Registration Period: January 8, 2018 – February 5, 2018 (by 11:59 p.m. EST)
  • Submission Period: February 20, 2018 – April 9, 2018 (by 11:59 p.m. EDT)
  • Winners Notified: May 14, 2018 (by 11:59 p.m. EDT)
  • Winners Announced: May 15, 2018 (by 11:59 p.m. EDT)

FOR FURTHER INFORMATION CONTACT: Ali Massihi, Ali.Massihi@hhs.gov

  • No labels