Challenges for protecting the privacy of health information: required certification can leave common vulnerabilities undetected

Authors:
Ben Smith;Andrew Austin;Matt Brown;Jason T. King;Jerrod Lankford;Andrew Meneely;Laurie Williams
Affiliations:
North Carolina State University, Raleigh, NC, USA;North Carolina State University, Raleigh, NC, USA;North Carolina State University, Raleigh, NC, USA;North Carolina State University, Raleigh, NC, USA;North Carolina State University, Raleigh, NC, USA;North Carolina State University, Raleigh, NC, USA;North Carolina State University, Raleigh, NC, USA
Venue:
Proceedings of the second annual workshop on Security and privacy in medical and home-care systems
Year:
2010

Citing 10
Cited 1

Writing Effective Use Cases

Writing Effective Use Cases
Software Security Testing

IEEE Security and Privacy
Eliciting security requirements with misuse cases

Requirements Engineering
AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks

Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering
Software Security: Building Security In

Software Security: Building Security In
Social phishing

Communications of the ACM
Static detection of cross-site scripting vulnerabilities

Proceedings of the 30th international conference on Software engineering
Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Security by Checklist

IEEE Security and Privacy
Towards improved security criteria for certification of electronic health record systems

Proceedings of the 2010 ICSE Workshop on Software Engineering in Health Care

Protecting web-based patient portal for the security and privacy of electronic medical records

HealthSec'12 Proceedings of the 3rd USENIX conference on Health Security and Privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

The use of electronic health record (EHR) systems by medical professionals enables the electronic exchange of patient data, yielding cost and quality of care benefits. The United States American Recovery and Reinvestment Act (ARRA) of 2009 provides up to $34 billion for meaningful use of certified EHR systems. But, will these certified EHR systems provide the infrastructure for secure patient data exchange? As a window into the ability of current and emerging certification criteria to expose security vulnerabilities, we performed exploratory security analysis on a proprietary and an open source EHR. We were able to exploit a range of common code-level and design-level vulnerabilities. These common vulnerabilities would have remained undetected by the 2011 security certification test scripts from the Certification Commission for Health Information Technology, the most widely used certification process for EHR systems. The consequences of these exploits included, but were not limited to: exposing all users' login information, the ability of any user to view or edit health records for any patient, and creating a denial of service for all users. Based upon our results, we suggest that an enhanced set of security test scripts be used as entry criteria to the EHR certification process. Before certification bodies spend the time to certify that an EHR application is functionally complete, they should have confidence that the software system meets a basic level of security competence.