Advisory: Web Gateway Apache Web Server Logs Request PHI and Potentially the JWT Token Credential

This problem affects all versions of the following products:

• InterSystems IRIS® for Health
• InterSystems Health Connect™
• HealthShare Unified Care Record®
• HealthShare® Information Exchange

Requirements:

• InterSystems FHIR Server with web gateway

Default web gateway containers use a logging format that may expose PHI to administrators reviewing access logs. The FHIR standard allows query parameters (including PHI) to be added directly to query URLs.

Customers are encouraged to assess and modify their web gateway logging configuration to avoid query strings and sensitive fields. Where possible, customers are also encouraged to use FHIR POST queries with sensitive parameters in the request body rather than the URL. See the FHIR search specification for more information.