Analyzing Healthcare Interoperability Vulnerabilities: Formal Modeling and Graph-Theoretic Approach

Gahangir Hossain; Jawad Mohammed

arxiv: 2604.03043 · v1 · submitted 2026-04-03 · 💻 cs.CR · cs.AI

Analyzing Healthcare Interoperability Vulnerabilities: Formal Modeling and Graph-Theoretic Approach

Jawad Mohammed , Gahangir Hossain This is my paper

Pith reviewed 2026-05-13 19:52 UTC · model grok-4.3

classification 💻 cs.CR cs.AI

keywords FHIRrace conditionshealthcare interoperabilitygraph theoryconcurrency vulnerabilitiesHL7 securitysynthetic transaction logs

0 comments

The pith

A graph model called FRAG detects three classes of race conditions in concurrent FHIR resource access that sequential methods overlook.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces FRAG, a formally defined graph where nodes are concurrent processes accessing shared patient resources and typed edges represent access events. Race conditions appear as identifiable structural patterns rather than requiring sequential assumptions. The model specifies three clinically relevant classes: simultaneous write conflicts, TOCTOU authorization violations, and cascading update races. A three-pass traversal algorithm implements detection and is evaluated on synthetic FHIR R4 logs, showing markedly higher performance than a time-window baseline under full concurrency. This approach fills a gap in FHIR security research by treating concurrent access as the norm instead of an edge case.

Core claim

The central claim is that the FHIR Resource Access Graph FRAG, defined as G = (P, R, E, {λ}, {τ}, S), encodes concurrency vulnerabilities in healthcare interoperability as detectable graph properties. Nodes represent processes, edges capture resource access events with labels for timing and state, and three race classes—Simultaneous Write Conflict (SWC), TOCTOU Authorization Violation (TAV), and Cascading Update Race (CUR)—are formally specified. The model is realized as a three-pass graph traversal algorithm that achieves 90% F1 score on 1,500 synthetic logs under full concurrent access, compared with 25.5% for the baseline.

What carries the argument

The FHIR Resource Access Graph (FRAG), a directed multigraph with process nodes, typed access edges, and auxiliary label and state sets that turns race conditions into structural detection tasks.

If this is right

FHIR platforms can replace sequential-access assumptions with graph-based checks to catch simultaneous writes and authorization races before they affect patient data.
The three specified race classes become systematically enumerable in any set of concurrent resource access events.
Detection performance improves from 25.5% to 90% F1 under full concurrency, reducing the chance that race-induced inconsistencies reach clinical use.
Security analysis of HL7 FHIR systems now has a concrete method that does not treat concurrent access as inherently safe.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Production EHR and pharmacy systems could embed FRAG-style traversal in their audit pipelines to surface race risks during peak load periods.
The same graph construction might apply to other resource-sharing standards that lack explicit concurrency controls, such as certain device-to-EHR interfaces.
Hospitals auditing historical logs with FRAG could quantify how often authorization violations arise from timing gaps rather than malicious injection.

Load-bearing premise

The 1,500 synthetic FHIR R4 transaction logs capture the same concurrent access patterns and race condition frequencies that occur in real production healthcare systems.

What would settle it

Applying the three-pass FRAG traversal to real transaction logs from a live multi-system FHIR interoperability platform and comparing detected races against independently logged incidents or clinical outcome discrepancies would confirm or refute the detection claims.

Figures

Figures reproduced from arXiv: 2604.03043 by Gahangir Hossain, Jawad Mohammed.

**Figure 1.** Figure 1: Cyber threat landscape in FHIR-based healthcare interoperability. Multiple independent systems access shared patient resources concurrently with no synchronization protocol (S = ∅), giving rise to race condition classes SWC, TAV, and CUR. The problem of race condition is sixty years old. DijkarXiv:2604.03043v1 [cs.CR] 3 Apr 2026 [PITH_FULL_IMAGE:figures/full_fig_p001_1.png] view at source ↗

**Figure 2.** Figure 2: shows the FRAG for the motivating scenario. RC(p1, p2, r1) arises between EHR READ and Lab WRITE on AllergyIntolerance. CUR(p1, p2, p3) arises because CDS acts on EHR’s stale read. S = ∅ throughout. EHR (p1) Lab (p2) ↓ READ ↓ WRITE AllergyIntolerance (r1) ↑ READ CDS (p3) RC(p1, p2, r1): READ ∥ WRITE, S=∅ ⇒ Race detected CUR(p1, p2, p3, r1, −): p3 reads stale p1 value ⇒ CUR detected [PITH_FULL_IMAGE:figur… view at source ↗

**Figure 3.** Figure 3: The three healthcare race condition classes formally defined in FRAG: (a) Simultaneous Write Conflict (SWC) — two concurrent WRITE operations with no synchronization; (b) TOCTOU Authorization Violation (TAV) — permission revoked inside the vulnerability window; (c) Cascading Update Race (CUR) — a stale-read dependency chain of depth ≥ 2. 5. Simulation specification 5.1 Design rationale The simulation is mo… view at source ↗

**Figure 6.** Figure 6: Per-class Precision, Recall, and F1 for FRAG under C2 (left) and C3 (right). Red × markers indicate corresponding Baseline F1 scores. Precision remains high under C3 while recall decreases due to ETag-protected write filtering [PITH_FULL_IMAGE:figures/full_fig_p007_6.png] view at source ↗

**Figure 5.** Figure 5: F1 score comparison between conditions C2 and C3. Arrows and labels show the recall-driven F1 drop under partial ETag synchronization. Baseline performance remains flat across both conditions. Precision Recall F1 0 20 40 60 80 100 Score (%) 97.4 98.7 98.0 99.7 100.0 99.9 33.9 53.5 41.5 C2 Concurrent, Unsynchronized SWC TAV CUR Precision Recall F1 0 20 40 60 80 100 Score (%) 96.6 8.6 15.7 99.0 28.6 44.3 31.… view at source ↗

read the original abstract

In a healthcare environment, the healthcare interoperability platforms based on HL7 FHIR allow concurrent, asynchronous access to a set of shared patient resources, which are independent systems, i.e., EHR systems, pharmacy systems, lab systems, and devices. The FHIR specification lacks a protocol for concurrency control, and the research on detecting a race condition only targets the OS kernel. The research on FHIR security only targets authentication and injection attacks, considering concurrent access to patient resources to be sequential. The gap in the research in this area is addressed through the introduction of FHIR Resource Access Graph (FRAG), a formally defined graph G = (P,R,E, {\lambda}, {\tau}, S), in which the nodes are the concurrent processes, the typed edges represent the resource access events, and the race conditions are represented as detectable structural properties. Three clinically relevant race condition classes are formally specified: Simultaneous Write Conflict (SWC), TOCTOU Authorization Violation (TAV), and Cascading Update Race (CUR). The FRAG model is implemented as a three-pass graph traversal detection algorithm and tested against a time window-based baseline on 1,500 synthetic FHIR R4 transaction logs. Under full concurrent access (C2), FRAG attains a 90.0% F1 score vs. 25.5% for the baseline, a 64.5 pp improvement.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper defines a graph model for three FHIR-specific race conditions and shows a detection algorithm that beats a baseline on synthetic logs, but the evaluation lacks any real-world traces or validation details.

read the letter

The paper introduces FRAG, a typed graph for modeling concurrent process access to FHIR resources, along with formal definitions for three race classes: simultaneous write conflicts, TOCTOU authorization violations, and cascading update races. It then gives a three-pass traversal algorithm to detect them and reports 90% F1 under full concurrency versus 25.5% for a time-window baseline on 1,500 synthetic logs. That is the core contribution and the main result to take away. The formal setup is clean and directly targets a documented gap in the FHIR spec, where concurrent access is treated as sequential and no concurrency control protocol exists. The three race classes are clinically motivated and the graph construction with typed edges gives a concrete way to represent the problem. The algorithm itself is simple enough to implement from the description. The evaluation is the clear weak point. All numbers come from synthetic logs whose generation process is not described, so there is no way to judge whether they reproduce realistic timing jitter, dependency chains, or TOCTOU windows seen in production EHR, pharmacy, or lab systems. No real traces, no ground-truth labeling, and no error analysis are provided. If the synthetics miss important interleavings, the reported improvement could shrink or disappear. This work is aimed at people building or securing FHIR-based interoperability platforms. A reader working on healthcare data integrity or formal methods for distributed medical systems would find the model worth examining, though they would need to supply their own validation data. It should go to peer review. The formal modeling is solid enough to justify referee time, and the referees can push for real traces or a clearer account of the log generator.

Referee Report

1 major / 1 minor

Summary. The paper introduces the FHIR Resource Access Graph (FRAG), formally defined as G = (P,R,E, {λ}, {τ}, S), to model concurrent process accesses to shared FHIR resources in healthcare interoperability systems. It specifies three race condition classes—Simultaneous Write Conflict (SWC), TOCTOU Authorization Violation (TAV), and Cascading Update Race (CUR)—implements a three-pass graph traversal detection algorithm, and evaluates it on 1,500 synthetic FHIR R4 transaction logs, reporting 90.0% F1 under full concurrent access (C2) versus 25.5% for a time window-based baseline.

Significance. If the synthetic logs accurately represent real-world concurrent FHIR access patterns, the FRAG model could offer a significant formal contribution to detecting concurrency vulnerabilities in HL7 FHIR platforms, which currently lack concurrency control protocols and have seen research limited to authentication or sequential assumptions.

major comments (1)

[Evaluation] The headline result (90.0% F1 under C2, 64.5 pp improvement over baseline) is obtained exclusively on 1,500 synthetic FHIR R4 transaction logs. The manuscript provides no description of the log generator, no parameter settings for reproducing realistic interleavings or timing jitter, and no validation against real concurrent traces from EHR or HIE systems. This is load-bearing for the central empirical claim, as the synthetic setup may systematically under-represent TOCTOU windows or cascading dependencies.

minor comments (1)

[Model Definition] The graph notation G = (P,R,E, {λ}, {τ}, S) would benefit from an explicit early definition of the functions λ and τ in the model section to aid readability.

Simulated Author's Rebuttal

1 responses · 1 unresolved

We thank the referee for the constructive feedback on our manuscript. The evaluation concerns are well-taken, and we address them point-by-point below while committing to revisions that strengthen reproducibility without overstating the current empirical scope.

read point-by-point responses

Referee: [Evaluation] The headline result (90.0% F1 under C2, 64.5 pp improvement over baseline) is obtained exclusively on 1,500 synthetic FHIR R4 transaction logs. The manuscript provides no description of the log generator, no parameter settings for reproducing realistic interleavings or timing jitter, and no validation against real concurrent traces from EHR or HIE systems. This is load-bearing for the central empirical claim, as the synthetic setup may systematically under-represent TOCTOU windows or cascading dependencies.

Authors: We agree that the absence of a detailed log generator description is an omission that must be corrected for reproducibility. In the revised manuscript we will insert a dedicated subsection (Section 4.2) that fully specifies the synthetic log generator: it uses a configurable number of concurrent processes (C1/C2 settings), draws access timestamps from a Poisson process with tunable jitter parameter, samples resource access sequences from FHIR R4 resource profiles, and injects labeled race-condition instances (SWC, TAV, CUR) according to the formal definitions in Section 3. All parameter values used to produce the 1,500 logs will be tabulated. This directly addresses the request for parameter settings and interleaving realism. On real-world validation, we acknowledge that the current results rest solely on synthetic data and that operational EHR/HIE traces would provide stronger external validity. Obtaining such traces is not feasible within the scope of this work because of institutional review board and HIPAA constraints; we will therefore add an explicit limitations paragraph and list real-trace validation as future work. The synthetic generator was constructed from the FHIR R4 specification and published interoperability use cases to cover the three race classes, but we do not claim it exhausts every possible production interleaving. revision: partial

standing simulated objections not resolved

Validation of the FRAG detector against real concurrent traces collected from production EHR or HIE systems, owing to privacy regulations and data-access restrictions.

Circularity Check

0 steps flagged

FRAG model derivation is self-contained with no circular reductions

full rationale

The paper introduces the FRAG graph model G = (P,R,E, {λ}, {τ}, S) and formally specifies three race condition classes (SWC, TAV, CUR) as structural properties. The detection algorithm is a three-pass graph traversal derived directly from these definitions. Evaluation on 1,500 synthetic logs yields empirical F1 scores without any parameter fitting that would make the result tautological. No self-citations are invoked as load-bearing uniqueness theorems, and the synthetic data generation does not create a definitional loop with the model. The central claim remains an independent empirical demonstration rather than a self-referential construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 2 invented entities

The model rests on standard graph theory plus domain assumptions about FHIR resource access events; no free parameters are fitted in the abstract, and the three race classes are defined rather than discovered from data.

axioms (2)

domain assumption Concurrent processes can be represented as nodes and typed resource access events as directed edges in a graph.
Stated in the definition of G = (P,R,E, {λ}, {τ}, S)
domain assumption Race conditions manifest as detectable structural properties in the access graph.
Core modeling choice for SWC, TAV, and CUR classes

invented entities (2)

FHIR Resource Access Graph (FRAG) no independent evidence
purpose: Formal model to represent concurrent FHIR resource accesses and detect race conditions
Newly defined graph with nodes as processes and typed edges as access events
Simultaneous Write Conflict (SWC), TOCTOU Authorization Violation (TAV), Cascading Update Race (CUR) no independent evidence
purpose: Three clinically relevant race condition classes
Formally specified structural properties in the graph

pith-pipeline@v0.9.0 · 5542 in / 1437 out tokens · 34544 ms · 2026-05-13T19:52:12.197807+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

10 extracted references · 10 canonical work pages

[1]

HL7 FHIR Release 4 Specifi- cation,

HL7 International, “HL7 FHIR Release 4 Specifi- cation,”hl7.org/fhir/R4, 2019. [Online]. Available: https://hl7.org/fhir/R4/

work page 2019
[2]

Navigat- ing the Concurrency Landscape: A Survey of Race Condition Vulnerability Detectors

Upadhyay, A., Laxmi, V ., and Naval, S. “Navigat- ing the Concurrency Landscape: A Survey of Race Condition Vulnerability Detectors.”arXiv preprint arXiv:2312.14479(2023)

work page arXiv 2023
[3]

LR- Miner: Static race detection in OS kernels by mining locking rules

Li, T., Bai, J.-J., Han, G.-D., and Hu, S.-M. “LR- Miner: Static race detection in OS kernels by mining locking rules.” In33rd USENIX Security Symposium (USENIX Security 24), pp. 6149–6166. 2024

work page 2024
[4]

Concurrency Bug Detection via Static Analysis and Large Language Models

Feng, Z., Chen, Y ., Zhang, K., Li, X., and Liu, G. “Concurrency Bug Detection via Static Analysis and Large Language Models.”Future Internet17, no. 12 (2025): 578

work page 2025
[5]

Knighter: Transforming static analysis with LLM- synthesized checkers

Yang, C., Zhao, Z., Xie, Z., Li, H., and Zhang, L. “Knighter: Transforming static analysis with LLM- synthesized checkers.” InProceedings of the ACM SIGOPS 31st Symposium on Operating Systems Prin- ciples, pp. 655–669. 2025

work page 2025
[6]

Health Level 7 Communi- cation Protocol: Vulnerabilities and Mitigation,

TXOne Networks, “Health Level 7 Communi- cation Protocol: Vulnerabilities and Mitigation,” Technical Report, Jan. 2026. [Online]. Avail- able: https://www.txone.com/blog/ hl7-protocol-vulnerabilities-mitigation/

work page 2026
[7]

Enhancing EHR interoperability and security through distributed ledger technology: A review

Ferreira, C.J., Elvas, L.B., Correia, R., and Mascaren- has, M. “Enhancing EHR interoperability and security through distributed ledger technology: A review.” In Healthcare, vol. 12, no. 19, p. 1967. MDPI, 2024

work page 1967
[8]

Snowcat: Efficient kernel concurrency testing using a learned coverage predictor

Gong, S., Peng, D., Altınbüken, D., Fonseca, P., and Maniatis, P. “Snowcat: Efficient kernel concurrency testing using a learned coverage predictor.” InPro- ceedings of the 29th Symposium on Operating Systems Principles, pp. 35–51. 2023

work page 2023
[9]

Solution of a problem in concurrent programming control

Dijkstra, E.W. “Solution of a problem in concurrent programming control.” InPioneers and Their Con- tributions to Software Engineering. Springer Berlin Heidelberg, 2001, pp. 289–294

work page 2001
[10]

CVE-2024- 52007: HAPI FHIR XXE Injection,

NIST National Vulnerability Database, “CVE-2024- 52007: HAPI FHIR XXE Injection,” Nov. 2024. [Online]. Available: https://nvd.nist.gov/ vuln/detail/CVE-2024-52007

work page 2024

[1] [1]

HL7 FHIR Release 4 Specifi- cation,

HL7 International, “HL7 FHIR Release 4 Specifi- cation,”hl7.org/fhir/R4, 2019. [Online]. Available: https://hl7.org/fhir/R4/

work page 2019

[2] [2]

Navigat- ing the Concurrency Landscape: A Survey of Race Condition Vulnerability Detectors

Upadhyay, A., Laxmi, V ., and Naval, S. “Navigat- ing the Concurrency Landscape: A Survey of Race Condition Vulnerability Detectors.”arXiv preprint arXiv:2312.14479(2023)

work page arXiv 2023

[3] [3]

LR- Miner: Static race detection in OS kernels by mining locking rules

Li, T., Bai, J.-J., Han, G.-D., and Hu, S.-M. “LR- Miner: Static race detection in OS kernels by mining locking rules.” In33rd USENIX Security Symposium (USENIX Security 24), pp. 6149–6166. 2024

work page 2024

[4] [4]

Concurrency Bug Detection via Static Analysis and Large Language Models

Feng, Z., Chen, Y ., Zhang, K., Li, X., and Liu, G. “Concurrency Bug Detection via Static Analysis and Large Language Models.”Future Internet17, no. 12 (2025): 578

work page 2025

[5] [5]

Knighter: Transforming static analysis with LLM- synthesized checkers

Yang, C., Zhao, Z., Xie, Z., Li, H., and Zhang, L. “Knighter: Transforming static analysis with LLM- synthesized checkers.” InProceedings of the ACM SIGOPS 31st Symposium on Operating Systems Prin- ciples, pp. 655–669. 2025

work page 2025

[6] [6]

Health Level 7 Communi- cation Protocol: Vulnerabilities and Mitigation,

TXOne Networks, “Health Level 7 Communi- cation Protocol: Vulnerabilities and Mitigation,” Technical Report, Jan. 2026. [Online]. Avail- able: https://www.txone.com/blog/ hl7-protocol-vulnerabilities-mitigation/

work page 2026

[7] [7]

Enhancing EHR interoperability and security through distributed ledger technology: A review

Ferreira, C.J., Elvas, L.B., Correia, R., and Mascaren- has, M. “Enhancing EHR interoperability and security through distributed ledger technology: A review.” In Healthcare, vol. 12, no. 19, p. 1967. MDPI, 2024

work page 1967

[8] [8]

Snowcat: Efficient kernel concurrency testing using a learned coverage predictor

Gong, S., Peng, D., Altınbüken, D., Fonseca, P., and Maniatis, P. “Snowcat: Efficient kernel concurrency testing using a learned coverage predictor.” InPro- ceedings of the 29th Symposium on Operating Systems Principles, pp. 35–51. 2023

work page 2023

[9] [9]

Solution of a problem in concurrent programming control

Dijkstra, E.W. “Solution of a problem in concurrent programming control.” InPioneers and Their Con- tributions to Software Engineering. Springer Berlin Heidelberg, 2001, pp. 289–294

work page 2001

[10] [10]

CVE-2024- 52007: HAPI FHIR XXE Injection,

NIST National Vulnerability Database, “CVE-2024- 52007: HAPI FHIR XXE Injection,” Nov. 2024. [Online]. Available: https://nvd.nist.gov/ vuln/detail/CVE-2024-52007

work page 2024