Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected Ben Smith, Andrew Austin,

Published byMyra Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected Ben Smith, Andrew Austin,"— Presentation transcript:

1 1 Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected Ben Smith, Andrew Austin, Matt Brown, Jason King, Jerrod Lankford, Andrew Meneely, Laurie Williams

2 2

3 Risks and Assets Medical Records –STDs, psych history, anti-depressants Service –Inaccessibility can mean patient death Identity and Financial Information –What’s in your wallet? Authenticity and Audit Trail –Doctor fakes a test result, Insider Threats Legal Fees –Lawsuits cost more than a good EHR 3

4 Research Questions How do market-ready EHRs perform in an attack scenario? What can attackers achieve by exploiting security weaknesses in existing EHRs? EHR: Electronic Health Record System 4

5 Agenda Method EHR Certification Processes Results –Implementation Bugs –Design Flaws Recommendations 5

6 EHR Certification Dominant certification bodies in the US (approved by ONC): –Certification Commission for Healthcare Information Technology (CCHIT) –National Institute of Standards and Technology (NIST). CCHIT Criteria –286 Functional Criteria, 213 Test Scripts (manual) –46 Security Criteria, 112 Test Scripts. –Security consists of encryption, hashing, passwords. 6

7 EHR Certification (2) NIST Criteria –Similar to CCHIT certification –36 Test Scripts –Security test scripts focus on passwords and hashing. –One exception: VE170.302.t-1.05: “The tester shall perform an action not authorized by the assigned permissions.” 7

8 Method Created attack team from the first six authors Worked in a distributed fashion Held meetings to attack in parallel Used knowledge of software security Two test servers, one for each EHR: contained demo data (no broken laws) One auxiliary server to assist in attacks 8

9 Method: Target EHRs OpenEMRProprietaryMed LicenseGPLProprietary Popularity1168 downloads/mo21,000 patient records Size (SLOC/Files)305,000 / 1,600120,000 / 900 Version3.2 (2/16/2010)1.0 (3/31/2010) Contributing Developers1812 PlatformPHPASP.NET 9

10 Security Issue Categories Gary McGraw: Building Security In Implementation Bugs –Not indicated in design –Developer mistake –Code-level Design Flaws –Happened at the design stage –High-level functionality that is risky –Functionality itself is vulnerable 10

11 OpenEMR: SQL Injection 11

12 Both EHRs: Cross-site Scripting 12

13 Design Flaws In OpenEMR, the administrator can read or change another user’s password. In ProprietaryMed, there is no logging of any transaction. In ProprietaryMed, there is no authorization control on patient records. 13

14 OpenEMR: phpMyAdmin 14

15 Summary CCHIT and NIST would be ineffective and detecting any of the exploits or design flaws demonstrated in this paper. Security is a crucial aspect of healthcare IT due to HIPAA, and the cost of exploits. Passwords, hashing, encryption are important, but is insufficient! 15

16 Recommendations Uncover implementation bugs by executing attacks from a list such as CWE/SANS Top 25, simulate attacker behavior. Execute attacks on every component of the system, get some sense of coverage. Examine design flaws as well as implementation bugs. 16

17 Security as Entry Criteria Currently, docs see “certified” and they assume EHR is secure. Certification is not the best way to ensure the security of a system (security by checklist) Regardless, security testing should be conducted before and as a prerequisite to functional testing for EHRs. 17

18 Thank you! Any questions? Healthcare Wiki: http://realsearchgroup.com/healthcare 18

Download ppt "1 Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected Ben Smith, Andrew Austin,"

Similar presentations

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.

NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
IT Security Policy Framework

IT Security Policy Framework
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.

Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Protection of Information Assets I. Joko Dewanto 1.

Protection of Information Assets I. Joko Dewanto 1.
HIPAA, Computer Security, and Domino/Notes Chuck Connell, www.chc-3.comwww.chc-3.com.

HIPAA, Computer Security, and Domino/Notes Chuck Connell,
Westbrook Technologies from Document Management’s Role in HIPAA.

Westbrook Technologies from Document Management’s Role in HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.

1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Security Controls – What Works

Security Controls – What Works
Module 2 Segregation of Duties Case Study Individual Assignment

Module 2 Segregation of Duties Case Study Individual Assignment
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.

User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 3 Introduction and Setup.

© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 3 Introduction and Setup.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Securing Information Systems

Securing Information Systems

Similar presentations

Ads by Google