The 21st Century Cures Act, enacted in 2016, marked a pivotal shift in healthcare technology by mandating interoperability and patient access to health data. Central to this transformation is the utilization of Application Programming Interfaces (API), which play a critical role in the seamless exchange of health information. The Interoperability and Patient Access final rule, stemming from this Act, delineates a clear roadmap for healthcare data standards, with a particular emphasis on Health Level 7 (HL7) Fast Healthcare Interoperability Resources (FHIR) standards. This rule also introduces the consumer app API rule, designed to enhance data exchange among diverse health stakeholders. These advancements are instrumental in fostering interoperability and actively engaging patients in their healthcare journey.

This thesis examines the pressing need for robust security measures in the rapid implementation of FHIR servers, highlighted by the Act’s urgent compliance deadlines which may have inadver­tently led to potential security compromises, with a particular emphasis on International Business Machines’ (IBM) FHIR Server. This research is anchored on three pivotal questions:

1. Identifying common security vulnerabilities in FHIR server implementations, specifically IBM’s FHIR Server, and understanding how these vulnerabilities vary across different deployment configurations and usage scenarios.

2. Recommending best practices for enhancing the security of IBM’s FHIR Server based on penetration testing outcomes, while addressing potential challenges in implementing these enhancements.

3. Assessing the impact of FHIR server security vulnerabilities on compliance with healthcare regulations such as Health Insurance Portability and Accountability Act (HIPAA) and General Data Protection Regulation (GDPR), and evaluating the role of penetration testing in ensuring regulatory compliance.

This investigation employs empirical security assessments to explore the vulnerabilities inherent in current FHIR server deployments and proposes a series of best practices to mitigate these issues. The findings highlight the critical need for incorporating robust security measures at the early stages of FHIR server implementation to safeguard patient data and comply with legal standards. By detailing the vulnerabilities and offering mitigation strategies, this thesis contributes to the ongoing discussion on securing digital health infrastructures and underscores the importance of rigorous security practices in the rapidly evolving healthcare technology landscape.