Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Published byLisa Hampton Modified over 8 years ago

Similar presentations

Presentation on theme: "Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014."— Presentation transcript:

1 Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014

2 January 28, 2015 Agenda 1 3:00 p.m. Call to Order/Roll Call — Michelle Consolazio, Office of the National Coordinator Meeting Objective: Finalize RESTful Application Programming Interface (API) Security Recommendations 3:05 p.m. TSS WG Updates — Dixie Baker, Chair — Lisa Gallagher, Co-Chair 3:15 p.m. Workgroup Review of Recommendations — Dixie Baker, Chair — Lisa Gallagher, Co-Chair 4:15 p.m. Discussion of Next Steps 4:25 p.m. Public Comment 4:30 p.m. Adjourn

3 TSS WG UPDATES Dixie Baker, Chair & Lisa Gallagher, Co-Chair 2

4 WORKGROUP REVIEW OF RECOMMENDATIONS Dixie Baker, Chair & Lisa Gallagher, Co-Chair 3

5 Considerations The following are some recommended topics to consider for client and browser software across multi-platforms including mobile in enabling Health IT (HIT) to be certified for having implemented a secure application programming interface (API) for information sharing between partners using RESTful APIs: o Use OAuth 2.0 and OpenID Connect standards with TLS encryption to secure HIT RESTful APIs. o Use the OAuth 2.0 implementation model most appropriate for the architecture and risk profile of the application. o OpenID Connect enables single sign-on across multiple applications, which increases the importance of a strong initial login – assure that the method used to initially authenticate the user is sufficiently strong for the application use case. o Strengthen client and browser software authentication by using standardized signed web tokens* instead of passwords transmitted over the network. o Use TLS encryption with server side authentication to assure clients that they are communicating with the correct server and to protect data transmitted across the established link. *A web token signature is a verified and secure means of representing claims to be transferred between two parties 4

6 Considerations- Continued The following are some recommended topics to consider for client and browser software across multi-platforms including mobile in enabling Health IT (HIT) to be certified for having implemented a secure application programming interface (API) for information sharing between partners using RESTful APIs: o Minimize the risk of data exposure through redirect manipulation by using declared redirect Unique Resource Identifiers (URIs) during client registration. o Establish and enhance HIT RESTful API security vulnerability testing to minimize evolving cybersecurity risks. o Ensure appropriate awareness and mitigation of Cross-Site API vulnerabilities. o Vendors should provide to customers current information regarding HIT technology compatibility and interoperability with browsers and client software/platforms, and potential impacts on security. o Vendors should incorporate threat monitoring and risk mitigation into the HIT vendor’s product management lifecycle. o ONC should also track the efforts of the OpenID Foundation Health Relationship Trust (HEART) Working Group and the Argonaut Project, both of which are addressing privacy and security for RESTful HIT APIs 5

Download ppt "Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014."

Similar presentations

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.

HCQ P MEDICARES HEALTH CARE QUALITY IMPROVEMENT PROGRAM QualityNet Exchange Dennis Stricker Director, Information Systems Group Office of Clinical Standards.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Blue Button + and OAuth 2.0 Transport & Security Standards Workgroup October 8, 2014.

Blue Button + and OAuth 2.0 Transport & Security Standards Workgroup October 8, 2014.
Secure RESTful Interface Profile Phase 1 Briefing

Secure RESTful Interface Profile Phase 1 Briefing
Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March 11, 2015.

Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March 11, 2015.
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.

Recommendations on Certification of EHR Modules HIT Standards Committee Privacy and Security Workgroup April 11, 2014.
© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;

© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;
Interoperability Roadmap Comments Package Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair February 24, 2015.

Interoperability Roadmap Comments Package Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair February 24, 2015.
Securing Insecure Prabath Siriwardena, WSO2 Twitter

Securing Insecure Prabath Siriwardena, WSO2 Twitter
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Information Security Policies and Standards

Information Security Policies and Standards
Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.

Update on Interoperability Roadmap Comments Sections E, F, and G Transport & Security Standards Workgroup Dixie Baker, chair Lisa Gallagher, co-chair March.
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.

Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
©2012 Check Point Software Technologies Ltd. Cloud Security Tamir Zegman Architect.

©2012 Check Point Software Technologies Ltd. Cloud Security Tamir Zegman Architect.

Similar presentations

Ads by Google