Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Slides:



Advertisements
Similar presentations
HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.
Advertisements

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Blue Button + and OAuth 2.0 Transport & Security Standards Workgroup October 8, 2014.
Secure RESTful Interface Profile Phase 1 Briefing
Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March 11, 2015.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;
Interoperability Roadmap Comments Package Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair February 24, 2015.
Securing Insecure Prabath Siriwardena, WSO2 Twitter
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Information Security Policies and Standards
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
©2012 Check Point Software Technologies Ltd. Cloud Security Tamir Zegman Architect.
Best Practices in Deploying a PKI Solution BIEN Nguyen Thanh Product Consultant – M.Tech Vietnam
HIT Standards Committee Hearing on Trusted Identity of Patients in Cyberspace November 29, 2012 Jointly sponsored by HITPC Privacy and Security Tiger Team.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
HIT Standards Committee HIT Standards Committee Privacy and Security Workgroup Discussion of NwHIN Power Team Recommendations August 6,
Update on Interoperability Roadmap Comments Sections G, F and E Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
Draft – discussion only Content Standards WG (Documents and Data) Proposed HITSC Workgroup Evolution 1 Architecture, Services & APIs WG Transport and Security.
How Can NRCS Clients Use the Conservation Client Gateway
HL7 hData Security Elements. Security Considerations hData can be used in a broad variety of situations – EHR systems, line of business applications –
HIT Standards Committee Privacy and Security Workgroup Dixie Baker, Chair, Privacy and Security Workgroup Walter Suarez, Co-Chair, Privacy and Security.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
ACM 511 Introduction to Computer Networks. Computer Networks.
W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.
HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009.
All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Engineering Secure Software. Agenda  What is IoT?  Security implications of IoT  IoT Attack Surface Areas  IoT Testing Guidelines  Top IoT Vulnerabilities.
Justin Richer The MITRE Corporation October 8, 2014 Overview of OAuth 2.0 and Blue Button + REST.
Discussion - HITSC / HITPC Joint Meeting Transport & Security Standards Workgroup October 22, 2014.
HIT Standards Committee Privacy and Security Workgroup Standards and Certification Requirements for Certified EHR Modules Dixie Baker, Chair Walter Suarez,
High Assurance Products in IT Security Rayford B. Vaughn, Mississippi State University Presented by: Nithin Premachandran.
1 HIT Standards Committee Hearing on Health Information Technology Security Issues, Challenges, Threats, and Solutions - Introduction Dixie Baker, SAIC.
Framing Identity Management Recommendations Transport & Security Standards Workgroup November 19, 2014.
API Task Force Josh Mandel, Co-Chair Meg Marshall, Co-Chair December 4, 2015.
HIT Standards Committee Privacy and Security Workgroup Task Update: Standards and Certification Criteria for Certifying EHR Modules Dixie Baker, Chair.
Workgroup Introduction & Trust Mark Briefing Transport & Security Standards Workgroup September 22, 2014.
CI R1 LCO Review Panel Preliminary Report. General Comments –Provide clear definition of the goals of the phase (e.g. inception), the scope, etc. in order.
IS3220 Information Technology Infrastructure Security
Secure Mobile Development with NetIQ Access Manager
Redmond Protocols Plugfest 2016 Ron Starr, Paul Bartos, Hagit Galatzer, Stephen Guty New and Modified Windows Protocol Documents.
Azure Active Directory voor Developers
Data and Applications Security Developments and Directions
Full Page Watermarking
Paul Woods Chair, MITIGATION: Ensuring we procure cloud services taking into account of the risks involved Paul Woods Chair, ISNorthEast.
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
Introduction to the FAPI Read & Write OAuth Profile
How to Mitigate the Consequences What are the Countermeasures?
K!M SAA LOGICAL SECURITY Strong Adaptive Authentication
Mary Montoya, CIO Bogi Malecki, Project Manager
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
OpenID Enhanced Authentication Profile (EAP) Working Group
Veterans Health Administration
Presentation transcript:

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014

January 28, 2015 Agenda 1 3:00 p.m. Call to Order/Roll Call — Michelle Consolazio, Office of the National Coordinator Meeting Objective: Finalize RESTful Application Programming Interface (API) Security Recommendations 3:05 p.m. TSS WG Updates — Dixie Baker, Chair — Lisa Gallagher, Co-Chair 3:15 p.m. Workgroup Review of Recommendations — Dixie Baker, Chair — Lisa Gallagher, Co-Chair 4:15 p.m. Discussion of Next Steps 4:25 p.m. Public Comment 4:30 p.m. Adjourn

TSS WG UPDATES Dixie Baker, Chair & Lisa Gallagher, Co-Chair 2

WORKGROUP REVIEW OF RECOMMENDATIONS Dixie Baker, Chair & Lisa Gallagher, Co-Chair 3

Considerations The following are some recommended topics to consider for client and browser software across multi-platforms including mobile in enabling Health IT (HIT) to be certified for having implemented a secure application programming interface (API) for information sharing between partners using RESTful APIs: o Use OAuth 2.0 and OpenID Connect standards with TLS encryption to secure HIT RESTful APIs. o Use the OAuth 2.0 implementation model most appropriate for the architecture and risk profile of the application. o OpenID Connect enables single sign-on across multiple applications, which increases the importance of a strong initial login – assure that the method used to initially authenticate the user is sufficiently strong for the application use case. o Strengthen client and browser software authentication by using standardized signed web tokens* instead of passwords transmitted over the network. o Use TLS encryption with server side authentication to assure clients that they are communicating with the correct server and to protect data transmitted across the established link. *A web token signature is a verified and secure means of representing claims to be transferred between two parties 4

Considerations- Continued The following are some recommended topics to consider for client and browser software across multi-platforms including mobile in enabling Health IT (HIT) to be certified for having implemented a secure application programming interface (API) for information sharing between partners using RESTful APIs: o Minimize the risk of data exposure through redirect manipulation by using declared redirect Unique Resource Identifiers (URIs) during client registration. o Establish and enhance HIT RESTful API security vulnerability testing to minimize evolving cybersecurity risks. o Ensure appropriate awareness and mitigation of Cross-Site API vulnerabilities. o Vendors should provide to customers current information regarding HIT technology compatibility and interoperability with browsers and client software/platforms, and potential impacts on security. o Vendors should incorporate threat monitoring and risk mitigation into the HIT vendor’s product management lifecycle. o ONC should also track the efforts of the OpenID Foundation Health Relationship Trust (HEART) Working Group and the Argonaut Project, both of which are addressing privacy and security for RESTful HIT APIs 5

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.