AgentReadyHomeAgent Listing

← FHIR MCP Server (WSO2)

FHIR MCP Server (WSO2) — agentic threat model

7.4AIVSS 7.4 · High

The FHIR MCP Server presents a high-risk profile due to its direct integration with highly regulated Protected Health Information (PHI). While mitigated by SMART-on-FHIR authentication, the potential for prompt injection to cause unauthorized data exfiltration or modification of patient records remains a critical concern.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.44Factor sum 3.5/10Threat ×1.05Mitigation ×0.8
Autonomy of Action
0.50
Goal-Driven Planning
0.20
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.40
Dynamic Identity
0.70
Multi-Agent Interactions
0.20
Non-Determinism
0.30
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — The listing does not specify the underlying LLM used to drive this MCP server. However, adversarial prompt injection could trick the driving model into executing unauthorized FHIR queries or exfiltrating PHI.

L2 · Data Operations✓ mapped

The agent handles highly regulated PHI via FHIR APIs. Critical threats include data exfiltration of patient records into the LLM context, lack of data lineage, and potential poisoning of healthcare records if write operations are permitted.

L3 · Agent Frameworks✓ mapped

As an MCP (Model Context Protocol) server, it integrates directly with agent frameworks. Risks include insecure tool integration, where an LLM misinterprets user intent and invokes destructive FHIR API calls (e.g., deleting or altering patient records).

L4 · Deployment & Infrastructure⚠ not certain from listing

Not certain from the listing — The hosting environment for this WSO2 MCP server is unspecified. If deployed insecurely, threats include container compromise, exposed API endpoints, and credential theft of SMART-on-FHIR client secrets.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — No built-in evaluation, guardrails, or logging mechanisms are detailed. Gaps in observability could allow silent data exfiltration or unauthorized API abuse to go undetected.

L6 · Security & Compliance (cross-cutting)✓ mapped

Employs SMART-on-FHIR authentication for access control. Compliance with HIPAA, HITECH, and GDPR is critical; improper scoping of OAuth tokens or lack of audit logging for LLM-initiated actions poses severe compliance risks.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — While designed as an MCP tool, its interaction in a multi-agent ecosystem is undefined. A compromised secondary agent could exploit this tool to gain unauthorized access to the FHIR data layer.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).