ONC wants help exploring FHIR-based servers and their vulnerabilities

ONC officials have launched a challenge to industry stakeholders to build FHIR-based servers and then see if they can be hacked.
(Getty Images)

The Office of the National Coordinator for Health IT is capitalizing on National Cybersecurity Awareness Month to explore how to build secure, interoperable servers for sharing electronic health information, and it wants some help from the public.

ONC officials have launched the Secure API Server Showdown Challenge to industry stakeholders to build Fast Healthcare Interoperability Resources, or FHIR, servers that are deemed secure under current industry standards and then see if they can be hacked.

The challenge offers developers a total of $50,000 in prizes and will be split over two stages.

In the Server Build Stage, teams will build servers operating on FHIR—the draft standard information format and an application programming interface for sharing electronic health records—using industry best practices, technical standards and open source code.


Three teams will advance to the following Vulnerability Discovery Stage based on the technical judging criteria of their server builds. The second stage will consist of two tracks: one where the teams operate their servers and another with team-based hacking to find “’in-scope’ security vulnerabilities” within the servers.

The Server Track teams will then review the security vulnerabilities and be eligible for a $10,000-prize if they operate their servers through the conclusion of the second stage.

The top three hacker teams with the most cumulative confirmed vulnerabilities will be eligible for cash prizes of $7,500, $5,000 and $2,500 respectively. The teams are also eligible for two $2,500 bonus prizes for the most confirmed vulnerabilities discovered in a single server and demonstrated ability to alter patient data on a server.

Those vulnerabilities will be made public at the end of the competition, to inform any future open source updates.

“Ultimately, the Challenge aims to identify unknown security vulnerabilities in the way open source FHIR servers are implemented, and will result in a hardened code base from which all stakeholders can benefit as they deploy FHIR servers in the future,” said Steven Posnack, director of ONC’s Office of Standards and Technology, in a blog post on ONC’s website.


Submissions for the Server Build Stage opened on Oct. 10 and will run through Jan. 15, 2018. Winners will be notified on Feb. 5, 2018.

Registration for the Vulnerability Discovery Stage begins on Jan. 8, 2018 and runs until Feb. 5. Winners will be announced on June 29, 2018.


Carten Cordell

Written by Carten Cordell

Carten Cordell is a Senior Technology Reporter for FedScoop. He is a former workforce and acquisition reporter at Federal Times, having previously served as online editor for Northern Virginia Magazine and Investigative Reporter for, Virginia Bureau. Carten was a 2014 National Press Foundation Paul Miller Fellow and has a Master’s degree from the Medill School of Journalism at Northwestern University. He is also a graduate of Auburn University and promises to temper his passions for college football while in the office.

Latest Podcasts