Challenges for protecting the privacy of health information: required certification can leave common vulnerabilities undetected

The use of electronic health record (EHR) systems by medical professionals enables the electronic exchange of patient data, yielding cost and quality of care benefits. The United States American Recovery and Reinvestment Act (ARRA) of 2009 provides up to $34 billion for meaningful use of certified EHR systems. But, will these certified EHR systems provide the infrastructure for secure patient data exchange? As a window into the ability of current and emerging certification criteria to expose security vulnerabilities, we performed exploratory security analysis on a proprietary and an open source EHR. We were able to exploit a range of common code-level and design-level vulnerabilities. These common vulnerabilities would have remained undetected by the 2011 security certification test scripts from the Certification Commission for Health Information Technology, the most widely used certification process for EHR systems. The consequences of these exploits included, but were not limited to: exposing all users' login information, the ability of any user to view or edit health records for any patient, and creating a denial of service for all users. Based upon our results, we suggest that an enhanced set of security test scripts be used as entry criteria to the EHR certification process. Before certification bodies spend the time to certify that an EHR application is functionally complete, they should have confidence that the software system meets a basic level of security competence.

[1]  Mordechai Ben-Menachem,et al.  Writing effective use cases , 2001, SOEN.

[2]  Establishment of the temporary certification program for health information technology. Final rule. , 2010, Federal register.

[3]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[4]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[5]  Dan S. Wallach,et al.  Analysis of an electronic voting system , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  Annie I. Antón,et al.  An Empirical Study of Consumer Perceptions and Comprehension of Web Site Privacy Policies , 2008, IEEE Transactions on Engineering Management.

[7]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[8]  Kevin Fu,et al.  Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[9]  Dawn M. Cappelli,et al.  The "Big Picture" of Insider IT Sabotage Across U.S. Critical Infrastructures , 2008, Insider Attack and Cyber Security.

[10]  Gary McGraw,et al.  Software Security Testing , 2004, IEEE Secur. Priv..

[11]  Era moderna até Health Insurance Portability and Accountability Act , 2011 .

[12]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[13]  Laurie A. Williams,et al.  Towards improved security criteria for certification of electronic health record systems , 2010, SEHC '10.

[14]  Lynda L. McGhie Health Insurance Portability and Accountability Act Security Rule , 2007, Information Security Management Handbook, 6th ed..

[15]  Joanne R Lax,et al.  The modified HIPAA Privacy Rule. Health Insurance Portability and Accountability Act. , 2002, Optometry.

[16]  John R. Vacca,et al.  Defense in Depth: Firewall Topologies , 2005 .

[17]  Steven M. Bellovin Security by Checklist , 2008, IEEE Security & Privacy Magazine.

[18]  M S Pritchard Doing the Minimum , 2001, Science and engineering ethics.