Secure API Server Showdown Challenge

Stage 1:

• Submission Period: October 10, 2017 – January 15, 2018 (by 11:59 p.m. EST)
• Winners Notified: February 5, 2018 (by 11:59 p.m. EST)
• Winners Announced: February 6, 2018 (by 11:59 p.m. EST)

Stage 2:

• Registration Period: January 8, 2018 – February 5, 2018 (by 11:59 p.m. EST)
• Submission Period: February 20, 2018 – April 9, 2018 (by 11:59 p.m. EDT)
• Winners Notified: May 14, 2018 (by 11:59 p.m. EDT)
• Winners Announced: May 15, 2018 (by 11:59 p.m. EDT)

FOR FURTHER INFORMATION CONTACT: Ali Massihi, [email protected]

STAGE 1 – SERVER BUILD STAGE

Server Build Stage Duration: Approximately 12 weeks

Stage 1 requires participants to build a secure, open source FHIR server using the SMART on FHIR Authorization specification as referenced in the Argonaut Data Query Implementation Guide Version 1.0.0 (http://www.fhir.org/guides/argonaut/r2/). The main goal of Stage 1 is for participants to implement the SMART on FHIR Authorization specification into an existing open source FHIR code base and to develop a “secure” FHIR server. The open source FHIR servers will be scored using the judging criteria provided in this notice.

The top 3 Server Build Stage winners will each qualify to win a prize of $10,000 by the end of the Challenge. In order to be eligible to receive the $10,000 prize, the winners MUST agree to deploy and maintain their FHIR server in a test environment provided by ONC throughout the duration of Stage 2’s Server Track. If a Stage 1 winner determined on technical merit cannot commit to participate in Stage 2’s Server Track, they will be disqualified and an alternate winner will be selected. Additionally, while Stage 1 winners are encouraged to fix/patch all confirmed security vulnerabilities at the conclusion of Stage 2’s Server Track, they MUST publicly provide a complete list of confirmed security vulnerabilities discovered at the end of the Challenge.

Stage 1 Requirements: Submit by the deadline of January 15, 2018 by 11:59 p.m. EST

• Source code and deployment artifacts for the open source FHIR server (or a link to the artifacts) must be submitted.
• Ability to remotely provide a live demonstration to judges using WebEx or other “virtual-meeting” applications.

FHIR Server Requirements

• The FHIR server must be conformant to the Argonaut Data Query Implementation Guide Version 1.0.0.
  • http://www.fhir.org/guides/argonaut/r2/
• The FHIR server must be conformant to the Argonaut Data Query Implementation Guide Server.
  • http://www.fhir.org/guides/argonaut/r2/Conformance-server.html
• The server must be conformant to the SMART App Authorization Guide.
  • http://docs.smarthealthit.org/authorization/
• The FHIR server must be preloaded with test data for at least 10 individuals that cover all the FHIR resource profiles presented in the Argonaut Data Query Implementation Guide Version 1.0.0.
  • http://docs.smarthealthit.org/data/dstu2-sandbox-data
  • http://fhirtest.uhn.ca/
  • Test Data: https://fhir.sitenv.org/fhirconformance/
• While not explicitly required by the FHIR server specifications, participants are highly encouraged to implement the “Best Practices in Authorization for SMART on FHIR EHRs” document as this will factor into the judges’ scoring.
  • http://docs.smarthealthit.org/authorization/best-practices/

 

Stage 1 Participant Commitments

Participants must agree to the following commitments in order to be fully considered as a Stage 1 winner:

• To deploy 4 working versions (instances) of their FHIR servers in an ONC provided test environment for each round of testing (approximately 4 weeks per round), for 3 rounds of testing by participants in Stage 2.
• To deploy working instances of their FHIR servers at the start of each new round of testing.
• To give access to a single testing team (of up to 10 team members) on each FHIR server instance for each round.
• To maintain all FHIR server instances available for testing for the entire Stage 2 competition period.
• To track, log, and confirm all identified security vulnerabilities during Stage 2.
• To submit a FHIR server source code via open source (GitHub) at the conclusion of Stage 2 and include a list of all confirmed security vulnerabilities discovered during Stage 2.

Server Build Stage Prizes:

Three (3) winners will be selected to move on to Stage 2’s Server Track. No prize amounts will be awarded at the conclusion of Stage 1. Stage 1 winners will be awarded a $10,000 prize after fulfilling their responsibilities as part of Stage 2’s Server Track.

Server Build Stage Judging Criteria:

The Server Build Stage will be judged based on the following requirements:

• 70%: Fulfillment of the technical requirements laid out in “FHIR Server Requirements.”
• 20%: Demonstration that the FHIR server is in full working order and that it can be readily deployed as part of Stage 2’s Server Track.
• 10%: Additional criteria based on judges’ assessment of adherence to various industry security best practices as referenced in the “FHIR Server Requirements” section above.

STAGE 2 – VULNERABILITY DISCOVERY STAGE

Vulnerability Discovery Stage Duration: Approximately 12 weeks

The main goal of Stage 2 is to further harden the open source FHIR servers by enabling dedicated testing of the security components by participants. Participants will test the winning FHIR servers from Stage 1 and identify potential security vulnerabilities. This will help improve the security of current and future open source FHIR servers and add to the security best practices for use of SMART on FHIR authorization. Stage 2 will consist of two formal tracks: the Server Track and the Discovery Track.

Server Track

Stage 1 winners will be the only teams eligible to participate in Stage 2’s Server Track. As part of the Server Track, participants will need to fulfill the commitments that they agreed to in order to be selected as a Stage 1 winner. Additionally, during Stage 2’s Server Track, these teams will need to review and adjudicate potential security vulnerabilities submitted to them by Stage 2’s Discovery Track teams. Lastly, at the conclusion of Stage 2, participants in the Server Track must submit their FHIR server source code via open source (GitHub) and include a list of all confirmed security vulnerabilities discovered during Stage 2.

Discovery Track

The Discovery Track will consist of 3 rounds in which teams will have approximately 4 weeks to test and discover security vulnerabilities in each of the servers that are deployed as part of Stage 2’s Server Track. A maximum of 12 testing teams will be selected based on a first come first serve basis so long as the following requirements are submitted as part of a complete application:

• Testing teams must consist of a MINIMUM of 5 members and a MAXIMUM of 10 members.
• A “team leader” and “alternate leader” must be assigned for each team and a preferred email address must be provided as a means of communication throughout the competition. Note: The team leader will be the primary point of contact and is the individual to whom prize(s) will be paid. The team leader is solely responsible for disbursing the prize winnings among the team members.
• The names of all team members must be provided at the time of registration.
• Note: Stage 1 winners are ineligible to participate in Stage 2’s Discovery Track.

Discovery Track Requirements

• Testing teams will submit identified security vulnerabilities to ONC in sufficient detail to allow the participants in the Server Track to confirm the security vulnerabilities.
• “In-scope” security vulnerability testing must be limited to the read-only Application Programming Interfaces (APIs) of the FHIR server.
• All non-API specific security vulnerability targets, including hardware, operating system, database, network systems, physical security, business processes, social engineering, or other elements not associated with the FHIR APIs are out of scope for testing and will NOT be given credit as a confirmed vulnerability.
• Vulnerability testing should focus on the following areas: login session/OAuth 2.0 assessments, transport layer security assessments, and API call-based assessments.

Discovery Track Participant Commitments

Discovery Track participants must agree to the following commitments in order to be considered for a Stage 2 Discovery Track prize:

• Provide evidence of all security vulnerabilities discovered within the FHIR servers as indicated in the “Submission” section above.
• Submit potential security vulnerabilities as they are discovered to allow sufficient time for participants in the Server Track to review and confirm security vulnerabilities or reject submissions.
• All potential security vulnerabilities must be submitted no later than 11:59 p.m. EDT on the last day of each team’s “round” of testing with the applicable FHIR server. Potential vulnerabilities submitted after a team’s testing round with a particular FHIR server will not be counted.

Testing teams must submit, at a minimum, the following for a potential security vulnerability: summary of the vulnerability, the steps to reproduce it, and any other supporting materials the team believes will lead to the vulnerability being conclusively confirmed (e.g., videos, screenshots, logs, etc.). The Challenge website will be the formal mechanism by which Discovery Track teams will submit potential security vulnerabilities for confirmation. Submission directions and the mechanism to submit will be made available on the Challenge’s website.

Server Track Prizes:

• Each Stage 1 winner that completes Stage 2’s Server Track requirements will be awarded a $10,000 prize.

Server Track Judging Criteria:

• The team reviews and adjudicates all potential security vulnerabilities submitted to them by Stage 2’s Discovery Track teams.
• At the conclusion of Stage 2, the team has submitted their FHIR server source code via open source (GitHub) and included a list of all confirmed security vulnerabilities discovered during Stage 2.

Discovery Track Prizes:

• Each team will be eligible to win up to $12,500 in prizes.
• Each team who wins a category will be awarded the associated prize amount.
• The prize money will be distributed after completion of Stage 2.
• Most number of confirmed vulnerabilities discovered:
  • 1^st Prize – $7,500
  • 2^nd Prize – $5,000
  • 3^rd Prize – $2,500
• “Bonus” Categories:
  • $2,500 – Most confirmed security vulnerabilities discovered in a single server.
  • $2,500 – Successfully being able to manipulate health data via a FHIR server’s read-only APIs.

Note: In the event of a first-place tie, the 1^st and 2^nd Prizes will be added together and distributed evenly among the two teams, and the 3^rd Prize will go to the next winning team. In the event of a second-place tie, the 1^st Prize will go to the winning team individually, and the 2^nd and 3^rd Prizes will be added together and evenly distributed among the two remaining winning teams. In the event of a tie that includes 3 or more teams at a specific prize level, that prize and any lesser prize(s) will be added together and evenly distributed to the winning teams. Additionally, the allocated prize money for a Bonus category will be evenly distributed among the winning teams.

Discovery Track Judging Criteria:

• Most number of confirmed security vulnerabilities discovered in all FHIR servers.
• Bonus Categories:
  • Most number of confirmed vulnerabilities on a single FHIR server, as verified by the applicable Server Track participant.
  • Ability to change patient data via a FHIR server’s read-only APIs.

To be eligible to win a prize under this Challenge, an individual or entity:

1. Shall have registered to participate in the Challenge under the rules promulgated by ONC.
2. Shall have complied with all the stated requirements of the appropriate Stage of the “Secure API Server Showdown” Challenge.
3. In the case of an entity, shall be incorporated in and maintained a primary place of business in the United States, and in the case of an individual, whether participating singly or in a group, shall be a citizen or permanent resident of the United States.
4. Shall not be an HHS employee.
5. May not be a federal entity or federal employee acting within the scope of their employment. We recommend that all non-HHS federal employees consult with their agency Ethics Official to determine whether the federal ethics rules will limit or prohibit the acceptance of a prize under this prize competition.
6. Federal grantees may not use federal funds to participate in this prize competition unless such participation is consistent with the purpose of their grant award.
7. Federal contractors may not use federal funds from a contract to participate in this prize competition or to fund efforts in support of a submission for this prize competition.
8. All individual members of a team must meet the eligibility requirements.

An individual or entity shall not be deemed ineligible because the individual or entity used federal facilities or consulted with federal employees during a prize competition if the facilities and employees are made available to all individuals and entities participating in the prize competition on an equitable basis.

Participants must agree to assume any and all risks and waive claims against the Federal Government and its related entities, except in the case of willful misconduct, for any injury, death, damage, or loss of property, revenue, or profits, whether direct, indirect, or consequential, arising from my participation in this prize contest, whether the injury, death, damage, or loss arises through negligence or otherwise.

Participants shall be financially responsible for claims by— (A) any third party for death, bodily injury, or property damage, or loss resulting from an activity carried out in connection with participation in the prize competition and all registered participants agree to indemnify the Federal Government against third party claims for damages arising from or related to their prize competition activities; and (B) the Federal Government for damage or loss to Government property resulting from such an activity.

In order for a submission to be eligible to win this prize competition, it must meet the following requirements:

1. No HHS or ONC logo – The product must not use HHS’ or ONC’s logos or official seals and must not claim endorsement.
2. Functionality/Accuracy – A product may be disqualified if it fails to function as expressed in the description provided by the Submitter, or if it provides inaccurate or incomplete information.
3. Security – Submissions must be free of malware. Submitter agrees that ONC may conduct testing on the product to determine whether malware or other security threats may be present. ONC may disqualify the submission if, in ONC’s judgment, it may damage government or others’ equipment or operating environment.

How to Enter:

Although not required, participants are asked to submit a non-binding Letter of Intent (LOI) stating their interest to participate in either stage of the competition. LOI’s should be sent within the applicable Stage’s submission period indicated in the “Challenge Timeline” section at the beginning of this document. Please send your Letter of Intent (email or word document) to [email protected]

Submissions:

All submissions will be made via the Secure API Server Showdown Challenge website during the applicable submission period as indicated in the “Challenge Timeline” section of this document. Additional instructions and challenge information will be provided on the challenge website as well.

Payment of the Prize:

Prize will be paid by contractor.

Basis upon Which Winner Will Be Selected:

Eligible challenge entries will be judged by a review panel composed of federal employees and experts in compliance with the requirements of the America COMPETES Act and the Department of Health and Human Services judging guidelines: http://www.hhs.gov/idealab/wp-content/uploads/2014/04/HHS-COMPETITION-JUDGING-GUIDELINES.pdf. The review panel will make selections based upon the criteria outlined below.

General Conditions: ONC reserves the right to cancel, suspend, and/or modify the Contest, or any part of it, for any reason, at ONC’s sole discretion.

Submissions: Winning submissions must make the source code or executable code publicly and openly available. The code must be posted to GitHub and be available through the open source MIT License.

Intellectual Property: Each entrant retains title and full ownership in and to their submission.  Entrants expressly reserve all intellectual property rights not expressly granted under this prize competition announcement, including the grant of a license as noted in the ‘submissions’ section above. By participating in the prize competition, each entrant hereby irrevocably grants to ONC a limited, non-exclusive, royalty-free, worldwide license and right to reproduce, publicly perform, publicly display, and use the Submission to the extent necessary to administer the prize competition, and to publicly perform and publicly display the Submission, including, without limitation, for advertising and promotional purposes relating to the prize competition.

By entering the Challenge, each applicant represents, warrants and covenants as follows:

• Applicant is the sole author, creator, and owner of the Submission;
• The Submission is not the subject of any actual or threatened litigation or claim;
• The Submission does not and will not violate or infringe upon the intellectual property rights, privacy rights, publicity rights, or other legal rights of any third party; and
• The Submission, and Applicants’ use of the Submission, does not and will not violate any applicable laws or regulations, including, without limitation, applicable export control laws and regulations of the U.S. and other jurisdictions.

If the Submission includes any third party works (such as third party content), Applicant must be able to provide, upon request, documentation of all appropriate licenses and releases for such third party works, consistent with this Challenge’s license requirements in the “Additional Information” section. If Applicant cannot provide documentation of all required licenses and releases, Federal Agency sponsors reserve the right, at their sole discretion, to disqualify the applicable Submission. Applicants must indemnify, defend, and hold harmless the Federal Government from and against all third party claims, actions, or proceedings of any kind and from any and all damages, liabilities, costs, and expenses relating to or arising from Applicant’s Submission or any breach or alleged breach of any of the representations, warranties, and covenants of Applicant hereunder. The Federal Agency sponsors reserve the right to disqualify any Submission that, in their discretion, deems to violate these Official Rules, Terms & Conditions.