Winner Announcement
The Department of Health and Human Service’s Office of the National Coordinator for Health Information Technology (ONC) today announced the Stage 2 winner of the “Secure API Server Showdown” Challenge. Application programming interfaces (APIs) are technology that allow one software program to access the services provided by another software program. The 21st Century Cures Act calls for the development of APIs that do not require “special effort” for developers to access and exchange health information.
The challenge sought to engage the health IT industry to identify Fast Healthcare Interoperability Resources (FHIR®) servers that reinforce the value of following technical security best practices on an industry-wide scale. These best practices ensure the most widely-accepted and effective measures are taken resulting in a high quality, secure FHIR server, further helping to protect the health information it contains. The winner of the challenge is 1UpHealth.
In Stage 1 of the challenge, Asymmetrik built a secure, Health Level 7 (HL7®) FHIR server using current industry technical standards, best practices, and recently issued healthcare-specific technical requirements for security. This included using the Substitutable Medical Apps, Reusable Technology (SMART) App Authorization Guide.
To win stage 2, participants were tasked with finding weaknesses in the FHIR server developed by Asymmetrik. 1UpHealth identified ways to strengthen the open source FHIR server, improving the overall security of the server and supporting the sensitive patient data being stored or transmitted.
As a result of this challenge, a unique open source FHIR implementation using JavaScript, Node.js and MongoDB is now available for industry developers to build upon. This implementation meets the security technical requirements as specified in the Argonaut Data Query Implementation Guide Version 1.0.0. The source code is available for public use on GitHub.
Overview
The Secure API Server Showdown Challenge (the “Challenge”) invites interested stakeholders to build a secure, Health Level 7 (HL7®) Fast Healthcare Interoperability Resources (FHIR®)[1] server using current industry technical standards, best practices, and recently issued healthcare-specific implementation guide requirements, including the Substitutable Medical Apps, Reusable Technology (SMART) on FHIR App Authorization technical requirements as specified in the Argonaut Data Query Implementation Guide Version 1.0.0[2]. The Prize Competition will consist of two stages: the Server Build Stage (“Stage 1”) and the Vulnerability Discovery Stage (“Stage 2”), which will include two tracks (a “Server Track” and a “Discovery Track”).
Stage 1 participants will need to develop a secure FHIR server that will ultimately have its source code made publicly available via open source. A maximum of 3 teams’ FHIR servers will be selected as Stage 1 winners based on technical judging criteria and their availability to participate in Stage 2. If a Stage 1 winner is unable to commit to completing the entirety of Stage 2’s “Server Track,” then an alternate Stage 1 winner will be selected for Stage 2’s Server Track. Additionally, Stage 1 winners are ineligible to participate in Stage 2’s Discovery Track. Stage 2’s Discovery Track will be a team-based competition that will award cash prizes based on the identification of “in-scope” security vulnerabilities found in the open source FHIR servers. At the end of Stage 2, all of the confirmed security vulnerabilities will be made public to encourage the industry to update the open source FHIR servers. ONC will be responsible for oversight and management of the competition in its entirety.
The purpose of this prize competition is to stimulate industry investment and engagement in the deployment of “secure” FHIR servers. In addition, we expect that this competition will help identify potentially unknown security flaws in the code used to operate FHIR servers in industry, as well as reinforce the value of following identified technical security best practices. Further, upon its completion, we expect that stakeholders will have greater access to secure, open source FHIR servers that have had their code base further hardened through this competition’s team-based testing. Ultimately, our goal is to see “ready to use”/“turn-key” secure, FHIR server code that meets the SMART on FHIR App Authorization technical requirements and on which industry stakeholders can build.
[1] http://hl7.org/fhir/
[2] http://www.fhir.org/guides/argonaut/r2/
$50,000 in prizes
The Office of the National Coordinator for Health Information Technology (ONC) is pleased to announce the Secure API Server Showdown Challenge, which invites interested stakeholders to build a secure, FHIR server using current industry standards, best practices, and recently issued healthcare-specific implementation guide requirements.
Challenge Rules Clarification:
In order to qualify for a prize, the Stage 2 teams MUST find confirmed vulnerabilities in the FHIR server. Teams will not automatically place in the top 3 and qualify for a prize if no confirmed vulnerabilities are found by the Stage 2 participants.
The Challenge timeline and dates have been changed to accommodate the number of participants. Please see the “Challenge Timeline” section below for the updated schedule.
Challenge Timeline:
Stage 1:
- Submission Period: October 10, 2017 – January 15, 2018 (by 11:59 p.m. EST)
- Winners Notified: February 5, 2018 (by 11:59 p.m. EST)
- Winners Announced: February 6, 2018 (by 11:59 p.m. EST)
Stage 2:
- Registration Period: January 8, 2018 – February 5, 2018 (by 11:59 p.m. EST)
- Submission Period: February 20, 2018 – April 9, 2018 (by 11:59 p.m. EDT)
- Winners Notified: May 14, 2018 (by 11:59 p.m. EDT)
- Winners Announced: May 15, 2018 (by 11:59 p.m. EDT)
FOR FURTHER INFORMATION CONTACT: Ali Massihi, Ali.Massihi@hhs.gov
