1 Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected Ben Smith, Andrew Austin,

Slides:



Advertisements
Similar presentations
NISTs Role in Securing Health Information AMA-IEEE Medical Technology Conference on Individualized Healthcare Kevin Stine, Information Security Specialist.
Advertisements

IT Security Policy Framework
Database Security Policies and Procedures and Implementation for the Disaster Management Communication System Presented By: Radostina Georgieva Master.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Protection of Information Assets I. Joko Dewanto 1.
HIPAA, Computer Security, and Domino/Notes Chuck Connell,
Westbrook Technologies from Document Management’s Role in HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Security Controls – What Works
Module 2 Segregation of Duties Case Study Individual Assignment
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
User Authentication Recommendations Transport & Security Standards Workgroup December 10, 2014.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Chapter 3 Introduction and Setup.
Computer Security: Principles and Practice
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Chapter 7 Database Auditing Models
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Securing Information Systems
1 HIT Policy Committee HIT Standards Committee Privacy and Security Workgroup: Status Report Dixie Baker, SAIC July 16, 2009.
Information Security Update CTC 18 March 2015 Julianne Tolson.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Forms Management: Compliance, Security & Workflow Efficiencies.
Chapter Three IT Risks and Controls.
Configuring Electronic Health Records Privacy and Security in the US Lecture f This material (Comp11_Unit7f) was developed by Oregon Health & Science University,
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
Electronic Health Records: A Teaching Tool Loren Klingman Nancy Meehan, PhD, RN Roy Pargas, PhD ACC Meeting of the Minds April 17, 2010 Georgia Institute.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Privacy, Confidentiality, and Security Unit 8: Professional Values and Medical Ethics Lecture 2 This material was developed by Oregon Health & Science.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Privacy, Confidentiality, and Security Component 2/Unit 8c.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.
HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009.
Working with HIT Systems
Component 11/Unit 2a Meaningful Use of the Electronic Health Record (EHR)
McGraw-Hill/Irwin © 2013 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 11 Computer Crime and Information Technology Security.
HIT Standards Committee Overview and Progress Report March 17, 2010.
Energize Your Workflow! ©2006 Merge eMed. All Rights Reserved User Group Meeting “Energize Your Workflow” May 7-9, Security.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
1 Towards Improved Security Criteria for Certification of Electronic Health Record Systems Andrew Austin Ben Smith Laurie Williams North Carolina State.
Health Management Information Systems Unit 3 Electronic Health Records Component 6/Unit31 Health IT Workforce Curriculum Version 1.0/Fall 2010.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.
1 Idea: Using System Level Testing for Revealing SQL Injection-Related Error Message Information Leaks Ben Smith Laurie Williams Andrew Austin North Carolina.
Table of Contents. Lessons 1. Introduction to HIPAA Go Go 2. The Privacy Rule Go Go.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Engineering Secure Software. A Ubiquitous Concern  You can make a security mistake at every step of the development lifecycle  Requirements that allow.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 3 This material was developed by Oregon Health & Science University,
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Chapter 13 Network Security Auditing Antivirus Firewalls Authentication Authorization Encryption.
Audit Trail LIS 4776 Advanced Health Informatics Week 14
Design for Security Pepper.
CMIT100 Chapter 15 - Information.
IS4680 Security Auditing for Compliance
The Practical Side of Meaningful Use:
HIPAA Security Standards Final Rule
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Distributed medical databases
Testing Electronic Health Records Applications with a Security Test Pattern Developed Using Empirical Data Ben Smith Motivation Knowledge gap in software.
CyberSecure: Your Medical Practice
Presentation transcript:

1 Challenges for Protecting the Privacy of Health Information: Required Certification Can Leave Common Vulnerabilities Undetected Ben Smith, Andrew Austin, Matt Brown, Jason King, Jerrod Lankford, Andrew Meneely, Laurie Williams

2

Risks and Assets Medical Records –STDs, psych history, anti-depressants Service –Inaccessibility can mean patient death Identity and Financial Information –What’s in your wallet? Authenticity and Audit Trail –Doctor fakes a test result, Insider Threats Legal Fees –Lawsuits cost more than a good EHR 3

Research Questions How do market-ready EHRs perform in an attack scenario? What can attackers achieve by exploiting security weaknesses in existing EHRs? EHR: Electronic Health Record System 4

Agenda Method EHR Certification Processes Results –Implementation Bugs –Design Flaws Recommendations 5

EHR Certification Dominant certification bodies in the US (approved by ONC): –Certification Commission for Healthcare Information Technology (CCHIT) –National Institute of Standards and Technology (NIST). CCHIT Criteria –286 Functional Criteria, 213 Test Scripts (manual) –46 Security Criteria, 112 Test Scripts. –Security consists of encryption, hashing, passwords. 6

EHR Certification (2) NIST Criteria –Similar to CCHIT certification –36 Test Scripts –Security test scripts focus on passwords and hashing. –One exception: VE t-1.05: “The tester shall perform an action not authorized by the assigned permissions.” 7

Method Created attack team from the first six authors Worked in a distributed fashion Held meetings to attack in parallel Used knowledge of software security Two test servers, one for each EHR: contained demo data (no broken laws) One auxiliary server to assist in attacks 8

Method: Target EHRs OpenEMRProprietaryMed LicenseGPLProprietary Popularity1168 downloads/mo21,000 patient records Size (SLOC/Files)305,000 / 1,600120,000 / 900 Version3.2 (2/16/2010)1.0 (3/31/2010) Contributing Developers1812 PlatformPHPASP.NET 9

Security Issue Categories Gary McGraw: Building Security In Implementation Bugs –Not indicated in design –Developer mistake –Code-level Design Flaws –Happened at the design stage –High-level functionality that is risky –Functionality itself is vulnerable 10

OpenEMR: SQL Injection 11

Both EHRs: Cross-site Scripting 12

Design Flaws In OpenEMR, the administrator can read or change another user’s password. In ProprietaryMed, there is no logging of any transaction. In ProprietaryMed, there is no authorization control on patient records. 13

OpenEMR: phpMyAdmin 14

Summary CCHIT and NIST would be ineffective and detecting any of the exploits or design flaws demonstrated in this paper. Security is a crucial aspect of healthcare IT due to HIPAA, and the cost of exploits. Passwords, hashing, encryption are important, but is insufficient! 15

Recommendations Uncover implementation bugs by executing attacks from a list such as CWE/SANS Top 25, simulate attacker behavior. Execute attacks on every component of the system, get some sense of coverage. Examine design flaws as well as implementation bugs. 16

Security as Entry Criteria Currently, docs see “certified” and they assume EHR is secure. Certification is not the best way to ensure the security of a system (security by checklist) Regardless, security testing should be conducted before and as a prerequisite to functional testing for EHRs. 17

Thank you! Any questions? Healthcare Wiki: 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.