SlideShare a Scribd company logo

Auditing web servers for HIPAA compliance - §164.312(a)(1)

Eric Goldman
Eric Goldman

This presentation provides an overview of HIPAA (Health Insurance Portability and Accountability Act) from a technical standpoint, and the requirements it places upon a business. Specifically, this presentation addresses HIPAA § 164.312(a)(1). The presentation covers the requirements of this area of the law. In order to demonstrate the requirements, a test environment was built and some application mock-ups were created (intentionally vulnerable) in order to demonstrate what an auditor needs to look for, why the law requires this, and how to address such issues. The testbed demonstration also provides a good primer on SQL injection, password cracking, and file inclusion vulnerabilities. The presentation steps through many of these aspects in detail. The demonstration is embedded from YouTube, and is available in higher quality there. The presentation concludes with some hints and lessons learned through the process. You can get more information on this presentation, demo, and related materials by visiting http://www.ericgoldman.name

Technology
1 of 20
AUDITING WEB SERVERS FOR HIPAA COMPLIANCE HIPAA § 164.312(a)(1)
Agenda I. Overview of HIPAA II. In-depth Analysis of Section 164.312(a)(1) III. Introduction to Testbed IV. Auditing Procedures V. Testbed Demonstration VI. Making the Testbed Compliant VII. Summary VIII. Lessons Learned IX. References Copyright 2008 Eric Goldman - http://www.ericgoldman.name
HIPAA The Health Insurance Portability & Accountability Act US Federal Law, Enacted 1996 Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Overview of HIPAA  Enacted to create a national standard for protecting patients’ private health information  Requires healthcare entities that use electronic processing to comply with standard forms & codes  Requires the implementation of new safeguards to protect stored information and medical records  Compliance is enforced by auditing and heavy penalties can be levied for non-compliance Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Section 164.312(a)(1)  HIPAA is a comprehensive law which effects both technical and non-technical aspects of healthcare  The HIPAA Security Rule consists of three sections: Administrative, Physical, & Technical Safeguards  Section 164.312(a)(1) is a technical safeguard which deals with access control, and is a required part of the HIPAA standard Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Section 164.312(a)(1) The Policy Statement for this section is as follows: Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). Copyright 2008 Eric Goldman - http://www.ericgoldman.name
The Testbed An emulation of a Hospital Intranet Web Server Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Introduction to Testbed  Testbed was created and deployed in virtual machine (VMWARE)  Operating System: Ubuntu Linux Server 7.10  HTTP Server: Apache 2.2.4  Database: MySQL 5.0.45  Web Application Language: PHP 5.2.3  Applications were written from scratch to emulate real world situations on a hospital’s intranet server Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Introduction to Testbed Two applications were written for this Testbed  Secure Medial Database: A HTML login form used to login to one of the hospital’s record systems. Uses POST method for submission and retrieves records from MySQL database.  Digital Library: A web form to submit medical articles found on the Internet for cataloguing by the hospital librarian. Uses POST method and PHP file_get_contents() function. Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Auditing Procedures  For this testbed, a blind audit was not assumed. Attacks were crafted to take advantage of visible flaws in the source code of the applications.  Most attacks were performed manually, using certain input values in order to audit for a given weakness. For the demo, JavaScript was used to fill in the forms for each demonstration.  In order to test password strength, a custom Perl script was written. Similar results could be obtained with AppScan, Brutus, AccessDiver, etc. Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Auditing Procedures  The exploits chosen for each web application were developed in order to demonstrate common coding practices which should be considered insecure  The exploits in this demonstration are focused on the actual end user web application and not the services or programs which execute the code and serve the pages  The goal is to demonstrate how to analyze web application code for exploitable flaws Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Testbed Demonstration The following will show and explain the vulnerabilities in our web applications Video is embedded through SlideShare, or view at: Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Meeting Compliance Suggestions to improve the web applications to ensure compliance with HIPAA Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Prevent SQL Injection attacks  On the “Secure Medical Database”, the authentication validation is performed by MySQL  The query should request the password for a given user, then compare to the submitted value in PHP  This methodology makes sure that all values are set and that the POST values are compared to values stored in the database  Enabling magic_quotes in the PHP configuration would prevent the injection from being processed Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Prevent Brute Force Password Cracking  There is nothing in the script which prevents or limits a scripted attack on the password form  A captcha image would provide a unique variable for each login, severely complicating scripting  A lockout mechanism should also be coded, limiting possible logins per user or IP in a given time frame  A stronger password policy should be enforced, requiring longer passwords with greater complexity, greater length, and prohibition of dictionary words Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Insufficient Data Validation  The “Digital Library” application has no data validation to prohibit information harvesting  Put the web server in a chroot “jail” to limit access to system files such as /etc/passwd  Write validation code to ensure that the address specified is an external web page  Do not print back the contents of a submitted article to the user Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Summary Presentation Review, Lessons Learned, References Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Presentation Summary  HIPAA is a federal law which protects patients medical information and records  HIPAA requires access control and role based authentication to records and resources  Secure coding techniques can prevent many common attacks through validation and variable conditioning  Web applications are highly vulnerable to scripting and automated attacks (and auditing tools) Copyright 2008 Eric Goldman - http://www.ericgoldman.name
Lessons Learned  Most attacks can be avoided with proper sanitization and code review  Applications should not depend on external sources (database, client side validation, etc) for validation  Minimize the amount of variability possible from user input  Build controls into scripts to limit attempts at hacking or automation Copyright 2008 Eric Goldman - http://www.ericgoldman.name
References  BioPassword, Inc.. (2006). Strong User Authentication and HIPAA Author. Retrieved Apr. 18, 2008, from http://www.biopassword.com/library/Strong_User_and_HIPAA.pdf  SHARON W. THORNTON. HENRICO INTERNAL AUDIT. (2006, Jan. 18). DETAILED AUDIT TESTING STEPS FOR HIPAA SECURITY RULE COMPLIANCE. HENRICO, VA: Retrieved Apr. 18, 2008, from http://www.co.henrico.va.us/audit/  P. M. (2003). HIPAA security regulations: Protecting patients’ electronic health information. The Journal of the American Dental Association, 134(5), 640-643. Retrieved May 5, 2008, from http://jada.ada.org/cgi/content/full/134/5/640  (2007, Dec. 10). Security Standards: Implementation for the Small Provider. HIPAA Security Series, 2(7), 1-12. Retrieved May 5, 1986, from http://www.cms.hhs.gov/EducationMaterials/Downloads/SmallProvider4final.pdf Copyright 2008 Eric Goldman - http://www.ericgoldman.name

Recommended

Control a.18 compliance - by software outsourcing company in India
Control a.18 compliance - by software outsourcing company in IndiaControl a.18 compliance - by software outsourcing company in India
Control a.18 compliance - by software outsourcing company in IndiaiFour Consultancy
 
Importance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonImportance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonAdam Levithan
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...iFour Consultancy
 

Recommended

Control a.18 compliance - by software outsourcing company in India
Control a.18 compliance - by software outsourcing company in IndiaControl a.18 compliance - by software outsourcing company in India
Control a.18 compliance - by software outsourcing company in IndiaiFour Consultancy
 
Importance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonImportance of Identity Management in Security - Microsoft Tech Tour @Towson
Importance of Identity Management in Security - Microsoft Tech Tour @TowsonAdam Levithan
 
OWASP, Application Security
OWASP, Application Security OWASP, Application Security
OWASP, Application Security Dilip Sharma
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...
ISO 27001 2013 Clause 4 - context of an organization - by Software developmen...iFour Consultancy
 
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07blusmurfydot1
 
Proxy For employee monitoring
Proxy For employee monitoringProxy For employee monitoring
Proxy For employee monitoringProxies Rent
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...iFour Consultancy
 
Deviceidentity 150909102029-lva1-app6891
Deviceidentity 150909102029-lva1-app6891Deviceidentity 150909102029-lva1-app6891
Deviceidentity 150909102029-lva1-app6891Lan & Wan Solutions
 
20181213 - wazug protecting your data with azure ad
20181213 - wazug protecting your data with azure ad20181213 - wazug protecting your data with azure ad
20181213 - wazug protecting your data with azure adArjan Cornelissen
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Analyzing internetsecurity
Analyzing internetsecurityAnalyzing internetsecurity
Analyzing internetsecurityDr. TJ Wolfe
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web ApplicationsVladimir Soghoyan
 
Modern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, ForresterModern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, ForresterForgeRock
 
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...iFour Consultancy
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 JagjitJagjit Singh Brar
 
ISO 270001 Management Clause - 6
ISO 270001 Management Clause - 6ISO 270001 Management Clause - 6
ISO 270001 Management Clause - 6Pooja Soni
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACKMITRE - ATT&CKcon
 
Wear fit
Wear fitWear fit
Wear fitAndrey Apuhtin
 
Observe it v67 webinar v5
Observe it v67 webinar v5Observe it v67 webinar v5
Observe it v67 webinar v5ObserveIT
 
ISO 27001 management clause 7 support - by software development company in india
ISO 27001 management clause 7 support - by software development company in indiaISO 27001 management clause 7 support - by software development company in india
ISO 27001 management clause 7 support - by software development company in indiaiFour Consultancy
 
McAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - TechbookMcAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - TechbookIftikhar Ali Iqbal
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 
Wedding crossword puzzle .
Wedding crossword puzzle .Wedding crossword puzzle .
Wedding crossword puzzle .VGANSTUDIO vganstudio
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAlert Logic
 

More Related Content

What's hot

IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07blusmurfydot1
 
Proxy For employee monitoring
Proxy For employee monitoringProxy For employee monitoring
Proxy For employee monitoringProxies Rent
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesRIZWAN HASAN
 
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...iFour Consultancy
 
Deviceidentity 150909102029-lva1-app6891
Deviceidentity 150909102029-lva1-app6891Deviceidentity 150909102029-lva1-app6891
Deviceidentity 150909102029-lva1-app6891Lan & Wan Solutions
 
20181213 - wazug protecting your data with azure ad
20181213 - wazug protecting your data with azure ad20181213 - wazug protecting your data with azure ad
20181213 - wazug protecting your data with azure adArjan Cornelissen
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Analyzing internetsecurity
Analyzing internetsecurityAnalyzing internetsecurity
Analyzing internetsecurityDr. TJ Wolfe
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web ApplicationsVladimir Soghoyan
 
Modern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, ForresterModern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, ForresterForgeRock
 
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...iFour Consultancy
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior
 
ISO 270001 Management Clause - 6
ISO 270001 Management Clause - 6ISO 270001 Management Clause - 6
ISO 270001 Management Clause - 6Pooja Soni
 
Observe it v67 webinar v5
Observe it v67 webinar v5Observe it v67 webinar v5
Observe it v67 webinar v5ObserveIT
 
ISO 27001 management clause 7 support - by software development company in india
ISO 27001 management clause 7 support - by software development company in indiaISO 27001 management clause 7 support - by software development company in india
ISO 27001 management clause 7 support - by software development company in indiaiFour Consultancy
 
McAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - TechbookMcAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - TechbookIftikhar Ali Iqbal
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Veracode
 

What's hot (20)

IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
IT109 Microsoft Windows 7 Operating Systems Unit 06 lesson 07
 
Proxy For employee monitoring
Proxy For employee monitoringProxy For employee monitoring
Proxy For employee monitoring
 
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilitiesOwasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
 
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...
Iso 27001 control a.12.1,a.12.2 & a.12.3 - by software outsourcing company in...
 
Deviceidentity 150909102029-lva1-app6891
Deviceidentity 150909102029-lva1-app6891Deviceidentity 150909102029-lva1-app6891
Deviceidentity 150909102029-lva1-app6891
 
20181213 - wazug protecting your data with azure ad
20181213 - wazug protecting your data with azure ad20181213 - wazug protecting your data with azure ad
20181213 - wazug protecting your data with azure ad
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
 
Analyzing internetsecurity
Analyzing internetsecurityAnalyzing internetsecurity
Analyzing internetsecurity
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web Applications
 
Modern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, ForresterModern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, Forrester
 
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
ISO 27001 2013 A12 Operations Security Part 2 - by Software development compa...
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
 
ISO 270001 Management Clause - 6
ISO 270001 Management Clause - 6ISO 270001 Management Clause - 6
ISO 270001 Management Clause - 6
 
Putting the PRE into ATTACK
Putting the PRE into ATTACKPutting the PRE into ATTACK
Putting the PRE into ATTACK
 
Wear fit
Wear fitWear fit
Wear fit
 
Observe it v67 webinar v5
Observe it v67 webinar v5Observe it v67 webinar v5
Observe it v67 webinar v5
 
ISO 27001 management clause 7 support - by software development company in india
ISO 27001 management clause 7 support - by software development company in indiaISO 27001 management clause 7 support - by software development company in india
ISO 27001 management clause 7 support - by software development company in india
 
McAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - TechbookMcAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
McAfee - McAfee Application Control (MAC) - Whitelisting - Techbook
 
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
Developing Web Applications Securely - How to Fix Common Code Vulnerabilities...
 

Viewers also liked

The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeAlert Logic
 
DOCTOR RELATED WORDS CROSSWORD PUZZLE
DOCTOR RELATED WORDS CROSSWORD PUZZLEDOCTOR RELATED WORDS CROSSWORD PUZZLE
DOCTOR RELATED WORDS CROSSWORD PUZZLEVGANSTUDIO vganstudio
 
S50 revue de presse kylia - semaine du 5 au 11 décembre 2016
S50 revue de presse kylia - semaine du 5 au 11 décembre 2016S50 revue de presse kylia - semaine du 5 au 11 décembre 2016
S50 revue de presse kylia - semaine du 5 au 11 décembre 2016KYLIA France
 
Lec(11):Break bown in liquid
Lec(11):Break bown in liquidLec(11):Break bown in liquid
Lec(11):Break bown in liquideslam elfayoumy
 
From the Trenches: Building Comprehensive and Secure Solutions in AWS
From the Trenches: Building Comprehensive and Secure Solutions in AWSFrom the Trenches: Building Comprehensive and Secure Solutions in AWS
From the Trenches: Building Comprehensive and Secure Solutions in AWSAlert Logic
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSKarim Hopper
 
第8回山口県英語教育フォーラム. 2015年11月14日(土)
第8回山口県英語教育フォーラム. 2015年11月14日(土)第8回山口県英語教育フォーラム. 2015年11月14日(土)
第8回山口県英語教育フォーラム. 2015年11月14日(土)Takunori Terasawa
 
AWS Auroraよもやま話
AWS Auroraよもやま話AWS Auroraよもやま話
AWS Auroraよもやま話Akira Miki
 
Agustina Barros + Sebastian Rossi - Aconcagua National Park, Human Waste Mana...
Agustina Barros + Sebastian Rossi - Aconcagua National Park, Human Waste Mana...Agustina Barros + Sebastian Rossi - Aconcagua National Park, Human Waste Mana...
Agustina Barros + Sebastian Rossi - Aconcagua National Park, Human Waste Mana...Sustainable Summits Initiative
 
Rural Transformation & Implications for Agricultural & Rural Devt by Steve Wi...
Rural Transformation & Implications for Agricultural & Rural Devt by Steve Wi...Rural Transformation & Implications for Agricultural & Rural Devt by Steve Wi...
Rural Transformation & Implications for Agricultural & Rural Devt by Steve Wi...Pascal Corbé
 
Launching your advanced analytics program for success in a mature industry
Launching your advanced analytics program for success in a mature industryLaunching your advanced analytics program for success in a mature industry
Launching your advanced analytics program for success in a mature industryDataWorks Summit/Hadoop Summit
 
'Shift-Right' - Rapid Evolution with DesignOps
'Shift-Right' - Rapid Evolution with DesignOps'Shift-Right' - Rapid Evolution with DesignOps
'Shift-Right' - Rapid Evolution with DesignOpsCA Technologies
 
Running Mission Critical Workload for Financial Services Institutions on AWS
Running Mission Critical Workload for Financial Services Institutions on AWSRunning Mission Critical Workload for Financial Services Institutions on AWS
Running Mission Critical Workload for Financial Services Institutions on AWSAmazon Web Services
 
Interactive Analytics using Apache Spark
Interactive Analytics using Apache SparkInteractive Analytics using Apache Spark
Interactive Analytics using Apache SparkSachin Aggarwal
 
Chief Data Officer: Top Ten Learnings...
Chief Data Officer: Top Ten Learnings...Chief Data Officer: Top Ten Learnings...
Chief Data Officer: Top Ten Learnings...Craig Milroy
 
20161124 cmc kickoff
20161124 cmc kickoff20161124 cmc kickoff
20161124 cmc kickoffHideki Ojima
 
Сервис ремонта "Квадрим" для Forbes
Сервис ремонта "Квадрим" для ForbesСервис ремонта "Квадрим" для Forbes
Сервис ремонта "Квадрим" для ForbesTimur Abdrakhmanov
 
Apache Spark Introduction and Resilient Distributed Dataset basics and deep dive
Apache Spark Introduction and Resilient Distributed Dataset basics and deep diveApache Spark Introduction and Resilient Distributed Dataset basics and deep dive
Apache Spark Introduction and Resilient Distributed Dataset basics and deep diveSachin Aggarwal
 

Viewers also liked (20)

Wedding crossword puzzle .
Wedding crossword puzzle .Wedding crossword puzzle .
Wedding crossword puzzle .
 
The AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in PracticeThe AWS Shared Security Responsibility Model in Practice
The AWS Shared Security Responsibility Model in Practice
 
DOCTOR RELATED WORDS CROSSWORD PUZZLE
DOCTOR RELATED WORDS CROSSWORD PUZZLEDOCTOR RELATED WORDS CROSSWORD PUZZLE
DOCTOR RELATED WORDS CROSSWORD PUZZLE
 
S50 revue de presse kylia - semaine du 5 au 11 décembre 2016
S50 revue de presse kylia - semaine du 5 au 11 décembre 2016S50 revue de presse kylia - semaine du 5 au 11 décembre 2016
S50 revue de presse kylia - semaine du 5 au 11 décembre 2016
 
Lec(11):Break bown in liquid
Lec(11):Break bown in liquidLec(11):Break bown in liquid
Lec(11):Break bown in liquid
 
From the Trenches: Building Comprehensive and Secure Solutions in AWS
From the Trenches: Building Comprehensive and Secure Solutions in AWSFrom the Trenches: Building Comprehensive and Secure Solutions in AWS
From the Trenches: Building Comprehensive and Secure Solutions in AWS
 
Cloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWSCloud Security, Risk and Compliance on AWS
Cloud Security, Risk and Compliance on AWS
 
DigiSecure Intro
DigiSecure IntroDigiSecure Intro
DigiSecure Intro
 
第8回山口県英語教育フォーラム. 2015年11月14日(土)
第8回山口県英語教育フォーラム. 2015年11月14日(土)第8回山口県英語教育フォーラム. 2015年11月14日(土)
第8回山口県英語教育フォーラム. 2015年11月14日(土)
 
AWS Auroraよもやま話
AWS Auroraよもやま話AWS Auroraよもやま話
AWS Auroraよもやま話
 
Agustina Barros + Sebastian Rossi - Aconcagua National Park, Human Waste Mana...
Agustina Barros + Sebastian Rossi - Aconcagua National Park, Human Waste Mana...Agustina Barros + Sebastian Rossi - Aconcagua National Park, Human Waste Mana...
Agustina Barros + Sebastian Rossi - Aconcagua National Park, Human Waste Mana...
 
Rural Transformation & Implications for Agricultural & Rural Devt by Steve Wi...
Rural Transformation & Implications for Agricultural & Rural Devt by Steve Wi...Rural Transformation & Implications for Agricultural & Rural Devt by Steve Wi...
Rural Transformation & Implications for Agricultural & Rural Devt by Steve Wi...
 
Launching your advanced analytics program for success in a mature industry
Launching your advanced analytics program for success in a mature industryLaunching your advanced analytics program for success in a mature industry
Launching your advanced analytics program for success in a mature industry
 
'Shift-Right' - Rapid Evolution with DesignOps
'Shift-Right' - Rapid Evolution with DesignOps'Shift-Right' - Rapid Evolution with DesignOps
'Shift-Right' - Rapid Evolution with DesignOps
 
Running Mission Critical Workload for Financial Services Institutions on AWS
Running Mission Critical Workload for Financial Services Institutions on AWSRunning Mission Critical Workload for Financial Services Institutions on AWS
Running Mission Critical Workload for Financial Services Institutions on AWS
 
Interactive Analytics using Apache Spark
Interactive Analytics using Apache SparkInteractive Analytics using Apache Spark
Interactive Analytics using Apache Spark
 
Chief Data Officer: Top Ten Learnings...
Chief Data Officer: Top Ten Learnings...Chief Data Officer: Top Ten Learnings...
Chief Data Officer: Top Ten Learnings...
 
20161124 cmc kickoff
20161124 cmc kickoff20161124 cmc kickoff
20161124 cmc kickoff
 
Сервис ремонта "Квадрим" для Forbes
Сервис ремонта "Квадрим" для ForbesСервис ремонта "Квадрим" для Forbes
Сервис ремонта "Квадрим" для Forbes
 
Apache Spark Introduction and Resilient Distributed Dataset basics and deep dive
Apache Spark Introduction and Resilient Distributed Dataset basics and deep diveApache Spark Introduction and Resilient Distributed Dataset basics and deep dive
Apache Spark Introduction and Resilient Distributed Dataset basics and deep dive
 

Similar to Auditing web servers for HIPAA compliance - §164.312(a)(1)

Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Amazon Web Services
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsBen Rothke
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slidesBassam Al-Khatib
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityZymbian
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps.com
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management ActMichelle Singh
 
Logger HIPAA CIP 1.0 Solutions Guide
Logger HIPAA CIP 1.0 Solutions GuideLogger HIPAA CIP 1.0 Solutions Guide
Logger HIPAA CIP 1.0 Solutions Guideprotect724rkeer
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroubleImperva
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewallsEnclaveSecurity
 
Web Services Security Tutorial
Web Services Security TutorialWeb Services Security Tutorial
Web Services Security TutorialJorgen Thelin
 

Similar to Auditing web servers for HIPAA compliance - §164.312(a)(1) (20)

Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
Architecting for Healthcare Compliance on AWS (HLC301-i) - AWS re:Invent 2018
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
Partner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 securityPartner Zymbian & Fortinet webinar on Web2.0 security
Partner Zymbian & Fortinet webinar on Web2.0 security
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
DevOps for Highly Regulated Environments
DevOps for Highly Regulated EnvironmentsDevOps for Highly Regulated Environments
DevOps for Highly Regulated Environments
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 
Logger HIPAA CIP 1.0 Solutions Guide
Logger HIPAA CIP 1.0 Solutions GuideLogger HIPAA CIP 1.0 Solutions Guide
Logger HIPAA CIP 1.0 Solutions Guide
 
PHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized TroublePHP SuperGlobals - Supersized Trouble
PHP SuperGlobals - Supersized Trouble
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
 
Overview of Information Security & Privacy
Overview of Information Security & PrivacyOverview of Information Security & Privacy
Overview of Information Security & Privacy
 
Web Services Security Tutorial
Web Services Security TutorialWeb Services Security Tutorial
Web Services Security Tutorial
 
Power station monitoring and cyber security
Power station monitoring and cyber securityPower station monitoring and cyber security
Power station monitoring and cyber security
 

More from Eric Goldman

Before It's Out The Door: Securing Outbound Open Source
Before It's Out The Door: Securing Outbound Open SourceBefore It's Out The Door: Securing Outbound Open Source
Before It's Out The Door: Securing Outbound Open SourceEric Goldman
 
Fair Information Practices: Overview and Application to the Omnibus Approach
Fair Information Practices: Overview and Application to the Omnibus ApproachFair Information Practices: Overview and Application to the Omnibus Approach
Fair Information Practices: Overview and Application to the Omnibus ApproachEric Goldman
 
Evil Twin Demonstration
Evil Twin DemonstrationEvil Twin Demonstration
Evil Twin DemonstrationEric Goldman
 
AP Takeover Attacks
AP Takeover AttacksAP Takeover Attacks
AP Takeover AttacksEric Goldman
 
Introduction to WiMAX
Introduction to WiMAXIntroduction to WiMAX
Introduction to WiMAXEric Goldman
 
Evolution Of The Public Network
Evolution Of The Public NetworkEvolution Of The Public Network
Evolution Of The Public NetworkEric Goldman
 

More from Eric Goldman (6)

Before It's Out The Door: Securing Outbound Open Source
Before It's Out The Door: Securing Outbound Open SourceBefore It's Out The Door: Securing Outbound Open Source
Before It's Out The Door: Securing Outbound Open Source
 
Fair Information Practices: Overview and Application to the Omnibus Approach
Fair Information Practices: Overview and Application to the Omnibus ApproachFair Information Practices: Overview and Application to the Omnibus Approach
Fair Information Practices: Overview and Application to the Omnibus Approach
 
Evil Twin Demonstration
Evil Twin DemonstrationEvil Twin Demonstration
Evil Twin Demonstration
 
AP Takeover Attacks
AP Takeover AttacksAP Takeover Attacks
AP Takeover Attacks
 
Introduction to WiMAX
Introduction to WiMAXIntroduction to WiMAX
Introduction to WiMAX
 
Evolution Of The Public Network
Evolution Of The Public NetworkEvolution Of The Public Network
Evolution Of The Public Network
 

Recently uploaded

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Auditing web servers for HIPAA compliance - §164.312(a)(1)

  • 1. AUDITING WEB SERVERS FOR HIPAA COMPLIANCE HIPAA § 164.312(a)(1)
  • 2. Agenda I. Overview of HIPAA II. In-depth Analysis of Section 164.312(a)(1) III. Introduction to Testbed IV. Auditing Procedures V. Testbed Demonstration VI. Making the Testbed Compliant VII. Summary VIII. Lessons Learned IX. References Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 3. HIPAA The Health Insurance Portability & Accountability Act US Federal Law, Enacted 1996 Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 4. Overview of HIPAA  Enacted to create a national standard for protecting patients’ private health information  Requires healthcare entities that use electronic processing to comply with standard forms & codes  Requires the implementation of new safeguards to protect stored information and medical records  Compliance is enforced by auditing and heavy penalties can be levied for non-compliance Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 5. Section 164.312(a)(1)  HIPAA is a comprehensive law which effects both technical and non-technical aspects of healthcare  The HIPAA Security Rule consists of three sections: Administrative, Physical, & Technical Safeguards  Section 164.312(a)(1) is a technical safeguard which deals with access control, and is a required part of the HIPAA standard Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 6. Section 164.312(a)(1) The Policy Statement for this section is as follows: Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 7. The Testbed An emulation of a Hospital Intranet Web Server Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 8. Introduction to Testbed  Testbed was created and deployed in virtual machine (VMWARE)  Operating System: Ubuntu Linux Server 7.10  HTTP Server: Apache 2.2.4  Database: MySQL 5.0.45  Web Application Language: PHP 5.2.3  Applications were written from scratch to emulate real world situations on a hospital’s intranet server Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 9. Introduction to Testbed Two applications were written for this Testbed  Secure Medial Database: A HTML login form used to login to one of the hospital’s record systems. Uses POST method for submission and retrieves records from MySQL database.  Digital Library: A web form to submit medical articles found on the Internet for cataloguing by the hospital librarian. Uses POST method and PHP file_get_contents() function. Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 10. Auditing Procedures  For this testbed, a blind audit was not assumed. Attacks were crafted to take advantage of visible flaws in the source code of the applications.  Most attacks were performed manually, using certain input values in order to audit for a given weakness. For the demo, JavaScript was used to fill in the forms for each demonstration.  In order to test password strength, a custom Perl script was written. Similar results could be obtained with AppScan, Brutus, AccessDiver, etc. Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 11. Auditing Procedures  The exploits chosen for each web application were developed in order to demonstrate common coding practices which should be considered insecure  The exploits in this demonstration are focused on the actual end user web application and not the services or programs which execute the code and serve the pages  The goal is to demonstrate how to analyze web application code for exploitable flaws Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 12. Testbed Demonstration The following will show and explain the vulnerabilities in our web applications Video is embedded through SlideShare, or view at: Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 13. Meeting Compliance Suggestions to improve the web applications to ensure compliance with HIPAA Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 14. Prevent SQL Injection attacks  On the “Secure Medical Database”, the authentication validation is performed by MySQL  The query should request the password for a given user, then compare to the submitted value in PHP  This methodology makes sure that all values are set and that the POST values are compared to values stored in the database  Enabling magic_quotes in the PHP configuration would prevent the injection from being processed Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 15. Prevent Brute Force Password Cracking  There is nothing in the script which prevents or limits a scripted attack on the password form  A captcha image would provide a unique variable for each login, severely complicating scripting  A lockout mechanism should also be coded, limiting possible logins per user or IP in a given time frame  A stronger password policy should be enforced, requiring longer passwords with greater complexity, greater length, and prohibition of dictionary words Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 16. Insufficient Data Validation  The “Digital Library” application has no data validation to prohibit information harvesting  Put the web server in a chroot “jail” to limit access to system files such as /etc/passwd  Write validation code to ensure that the address specified is an external web page  Do not print back the contents of a submitted article to the user Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 17. Summary Presentation Review, Lessons Learned, References Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 18. Presentation Summary  HIPAA is a federal law which protects patients medical information and records  HIPAA requires access control and role based authentication to records and resources  Secure coding techniques can prevent many common attacks through validation and variable conditioning  Web applications are highly vulnerable to scripting and automated attacks (and auditing tools) Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 19. Lessons Learned  Most attacks can be avoided with proper sanitization and code review  Applications should not depend on external sources (database, client side validation, etc) for validation  Minimize the amount of variability possible from user input  Build controls into scripts to limit attempts at hacking or automation Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  • 20. References  BioPassword, Inc.. (2006). Strong User Authentication and HIPAA Author. Retrieved Apr. 18, 2008, from http://www.biopassword.com/library/Strong_User_and_HIPAA.pdf  SHARON W. THORNTON. HENRICO INTERNAL AUDIT. (2006, Jan. 18). DETAILED AUDIT TESTING STEPS FOR HIPAA SECURITY RULE COMPLIANCE. HENRICO, VA: Retrieved Apr. 18, 2008, from http://www.co.henrico.va.us/audit/  P. M. (2003). HIPAA security regulations: Protecting patients’ electronic health information. The Journal of the American Dental Association, 134(5), 640-643. Retrieved May 5, 2008, from http://jada.ada.org/cgi/content/full/134/5/640  (2007, Dec. 10). Security Standards: Implementation for the Small Provider. HIPAA Security Series, 2(7), 1-12. Retrieved May 5, 1986, from http://www.cms.hhs.gov/EducationMaterials/Downloads/SmallProvider4final.pdf Copyright 2008 Eric Goldman - http://www.ericgoldman.name