The ABDM external surface has specific expectations
The Ayushman Bharat Digital Mission (ABDM) ecosystem — including the Health Information Exchange and Consent Manager (HIE-CM), the Health Claims Exchange, and the Unified Health Interface — imposes stricter expectations on integrator operators than any individual NDHM “security policy” document states in isolation.
In practice, an ABDM integrator that has gone through ABDM Sandbox testing will be asked about:
- HIE-CM §7.2 – §7.5 — Consent artefact handling. Consent IDs must not appear in logs, URLs, or responses where they can be captured. Historical URL archives are the single largest source of unintentional consent-ID leaks.
- HIE-CM §7.3 — FHIR metadata exposure. The FHIR
CapabilityStatementat/fhir/metadatais frequently served unauthenticated. This is expected by the FHIR specification but commonly over-shares by revealing resource types and OAuth endpoints that point to pre-production issuers. - HIE-CM §9.1 — Gateway boundary hygiene. The ABDM gateway (
/v0.5/*endpoints) should sit behind its own hostname with a dedicated TLS certificate, not under a wildcard shared with marketing assets. - HIE-CM §10 — Incident response. The existence of
/.well-known/security.txtis the minimum table-stakes signal that an integrator has an incident channel. Its absence is noted in every ABDM review we have seen.
What Dhara checks, mapped to ABDM HIE-CM
| Control | Passive check | Example finding |
|---|---|---|
| HIE-CM §4 | FHIR R4 / HIE-CM protocol version fingerprint | CapabilityStatement advertises HIE-CM v1.4 |
| HIE-CM §7.2 | Historical URL review for consent-ID patterns | Archived /consent-history pages with unredacted IDs |
| HIE-CM §7.3 | Anonymous FHIR metadata exposure check | /fhir/metadata exposing AuditEvent resource |
| HIE-CM §7.4 | OAuth issuer hostname posture | OAuth issuer claim points to sandbox.* |
| HIE-CM §9.1 | ABDM gateway hostname / certificate separation | Gateway shares wildcard with marketing site |
| HIE-CM §10 | Responsible-disclosure signal present | No security.txt at .well-known |
Sample ABDM finding
FHIR CapabilityStatement exposes unsupported resources
Anonymous GET on the metadata endpoint returns the server CapabilityStatement, including resource types the application does not intend to expose (AuditEvent, Consent) and OAuth endpoints pointing to a pre-production issuer.
Why ABDM integrators commission this report
The ABDM programme is young enough that most integrators have not yet had an external attack surface assessment performed by a firm that understands both the HIE-CM specification and the conventional HIPAA external control map. Dhara reports are usable in both conversations: submitting to the ABDM sandbox review team and reassuring a downstream hospital partner running their own HIPAA-flavoured vendor review.