1 challenges for protecting the privacy of health information: required certification can leave...
TRANSCRIPT
1
Challenges for Protecting the Privacy of Health Information: Required Certification
Can Leave Common Vulnerabilities Undetected
Ben Smith, Andrew Austin, Matt Brown, Jason King, Jerrod Lankford, Andrew Meneely, Laurie Williams
2
Risks and Assets
• Medical Records– STDs, psych history, anti-depressants
• Service– Inaccessibility can mean patient death
• Identity and Financial Information– What’s in your wallet?
• Authenticity and Audit Trail– Doctor fakes a test result, Insider Threats
• Legal Fees– Lawsuits cost more than a good EHR
3
Research Questions
• How do market-ready EHRs perform in an attack scenario?
• What can attackers achieve by exploiting security weaknesses in existing EHRs?
EHR: Electronic Health Record System
4
Agenda
• Method
• EHR Certification Processes
• Results– Implementation Bugs– Design Flaws
• Recommendations
5
EHR Certification
• Dominant certification bodies in the US (approved by ONC):– Certification Commission for Healthcare
Information Technology (CCHIT) – National Institute of Standards and Technology
(NIST).• CCHIT Criteria
– 286 Functional Criteria, 213 Test Scripts (manual)– 46 Security Criteria, 112 Test Scripts.– Security consists of encryption, hashing,
passwords.
6
EHR Certification (2)
• NIST Criteria– Similar to CCHIT certification– 36 Test Scripts– Security test scripts focus on passwords and
hashing.– One exception: VE170.302.t-1.05:
“The tester shall perform an action not authorized by the assigned permissions.”
7
Method
• Created attack team from the first six authors
• Worked in a distributed fashion
• Held meetings to attack in parallel
• Used knowledge of software security
• Two test servers, one for each EHR: contained demo data (no broken laws)
• One auxiliary server to assist in attacks
8
Method: Target EHRs
OpenEMR ProprietaryMed
License GPL Proprietary
Popularity 1168 downloads/mo 21,000 patient records
Size (SLOC/Files) 305,000 / 1,600 120,000 / 900
Version 3.2 (2/16/2010) 1.0 (3/31/2010)
Contributing Developers 18 12
Platform PHP ASP.NET
9
Security Issue Categories
• Gary McGraw: Building Security In• Implementation Bugs
– Not indicated in design– Developer mistake– Code-level
• Design Flaws– Happened at the design stage– High-level functionality that is risky– Functionality itself is vulnerable
10
OpenEMR: SQL Injection
11
Both EHRs: Cross-site Scripting
12
Design Flaws
• In OpenEMR, the administrator can read or change another user’s password.
• In ProprietaryMed, there is no logging of any transaction.
• In ProprietaryMed, there is no authorization control on patient records.
13
OpenEMR: phpMyAdmin
14
Summary
• CCHIT and NIST would be ineffective and detecting any of the exploits or design flaws demonstrated in this paper.
• Security is a crucial aspect of healthcare IT due to HIPAA, and the cost of exploits.
• Passwords, hashing, encryption are important, but is insufficient!
15
Recommendations
• Uncover implementation bugs by executing attacks from a list such as CWE/SANS Top 25, simulate attacker behavior.
• Execute attacks on every component of the system, get some sense of coverage.
• Examine design flaws as well as implementation bugs.
16
Security as Entry Criteria
• Currently, docs see “certified” and they assume EHR is secure.
• Certification is not the best way to ensure the security of a system (security by checklist)
• Regardless, security testing should be conducted before and as a prerequisite to functional testing for EHRs.
17
Thank you!
• Any questions?
• Healthcare Wiki:
http://realsearchgroup.com/healthcare
18