Evaluating Interoperability of Medical Communication Protocols via Differential Testing
摘要
Despite ever-increasing expenditures on healthcare, the system remains fragmented, disjointed, and without realizing the benefits of digitalization that other sectors have reaped. Interoperability is a cornerstone of modern healthcare systems, enabling seamless communication and data exchange between diverse clinical settings, providers, and institutions. Effective and accurate interoperability empowers physicians to gather comprehensive medical histories, collaborate with other providers, manage medications accurately, and reduce medical errors. Standards such as FHIR (Fast Healthcare Interoperability Resources) and DICOM (Digital Imaging and Communications in Medicine) have been developed to realize these interoperability goals. However, trouble can arise when different implementations interpret the same item differently. Ensuring that different implementations of these standards consistently interpret and process data remains a significant challenge. Prior research into other formats has shown that inconsistent data generation, parsing, validation, and processing across implementations can lead to misinterpretations and even security vulnerabilities. Prior research has examined interoperability goals in healthcare protocols; however, significant gaps remain in systematically testing and validating the consistency of different implementations. This paper addresses these gaps by applying differential testing to evaluate the interoperability of FHIR and DICOM implementations. We present a novel methodology for identifying parser differentials and deriving a safe subset of the FHIR specification, ensuring that all implementations agree on the interpretation of FHIR records. We reported 59 differentials, including some significant vulnerabilities that attackers can exploit to modify FHIR records, where portions of FHIR records can be hidden from providers. Additionally, we comprehensively analyzed five FHIR servers to derive the validation rules applied by them. Finally, we apply differential testing to DICOM libraries, with initial results uncovering inconsistencies in how different implementations handle non-standard inputs.