This presentation provides an overview of HIPAA (Health Insurance Portability and Accountability Act) from a technical standpoint, and the requirements it places upon a business. Specifically, this presentation addresses HIPAA § 164.312(a)(1). The presentation covers the requirements of this area of the law. In order to demonstrate the requirements, a test environment was built and some application mock-ups were created (intentionally vulnerable) in order to demonstrate what an auditor needs to look for, why the law requires this, and how to address such issues. The testbed demonstration also provides a good primer on SQL injection, password cracking, and file inclusion vulnerabilities. The presentation steps through many of these aspects in detail. The demonstration is embedded from YouTube, and is available in higher quality there. The presentation concludes with some hints and lessons learned through the process. You can get more information on this presentation, demo, and related materials by visiting http://www.ericgoldman.name
2. Agenda
I. Overview of HIPAA
II. In-depth Analysis of Section 164.312(a)(1)
III. Introduction to Testbed
IV. Auditing Procedures
V. Testbed Demonstration
VI. Making the Testbed Compliant
VII. Summary
VIII. Lessons Learned
IX. References
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
3. HIPAA
The
Health Insurance Portability & Accountability Act
US Federal Law, Enacted 1996
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
4. Overview of HIPAA
Enacted to create a national standard for
protecting patients’ private health information
Requires healthcare entities that use electronic
processing to comply with standard forms & codes
Requires the implementation of new safeguards to
protect stored information and medical records
Compliance is enforced by auditing and heavy
penalties can be levied for non-compliance
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
5. Section 164.312(a)(1)
HIPAA is a comprehensive law which effects both
technical and non-technical aspects of healthcare
The HIPAA Security Rule consists of three sections:
Administrative, Physical, & Technical Safeguards
Section 164.312(a)(1) is a technical safeguard
which deals with access control, and is a required
part of the HIPAA standard
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
6. Section 164.312(a)(1)
The Policy Statement for this section is as follows:
Standard: Access control. Implement technical policies
and procedures for electronic information systems
that maintain electronic protected health
information to allow access only to those persons or
software programs that have been granted access
rights as specified in Sec. 164.308(a)(4).
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
7. The Testbed
An emulation of a Hospital Intranet Web Server
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
8. Introduction to Testbed
Testbed was created and deployed in virtual
machine (VMWARE)
Operating System: Ubuntu Linux Server 7.10
HTTP Server: Apache 2.2.4
Database: MySQL 5.0.45
Web Application Language: PHP 5.2.3
Applications were written from scratch to emulate
real world situations on a hospital’s intranet server
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
9. Introduction to Testbed
Two applications were written for this Testbed
Secure Medial Database: A HTML login form used
to login to one of the hospital’s record systems. Uses
POST method for submission and retrieves records
from MySQL database.
Digital Library: A web form to submit medical
articles found on the Internet for cataloguing by the
hospital librarian. Uses POST method and PHP
file_get_contents() function.
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
10. Auditing Procedures
For this testbed, a blind audit was not assumed.
Attacks were crafted to take advantage of visible
flaws in the source code of the applications.
Most attacks were performed manually, using
certain input values in order to audit for a given
weakness. For the demo, JavaScript was used to fill
in the forms for each demonstration.
In order to test password strength, a custom Perl
script was written. Similar results could be obtained
with AppScan, Brutus, AccessDiver, etc.
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
11. Auditing Procedures
The exploits chosen for each web application were
developed in order to demonstrate common coding
practices which should be considered insecure
The exploits in this demonstration are focused on
the actual end user web application and not the
services or programs which execute the code and
serve the pages
The goal is to demonstrate how to analyze web
application code for exploitable flaws
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
12. Testbed Demonstration
The following will show and explain the
vulnerabilities in our web applications
Video is embedded through SlideShare,
or view at:
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
13. Meeting Compliance
Suggestions to improve the web applications to
ensure compliance with HIPAA
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
14. Prevent SQL Injection attacks
On the “Secure Medical Database”, the
authentication validation is performed by MySQL
The query should request the password for a given
user, then compare to the submitted value in PHP
This methodology makes sure that all values are set
and that the POST values are compared to values
stored in the database
Enabling magic_quotes in the PHP configuration
would prevent the injection from being processed
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
15. Prevent Brute Force Password Cracking
There is nothing in the script which prevents or limits
a scripted attack on the password form
A captcha image would provide a unique variable
for each login, severely complicating scripting
A lockout mechanism should also be coded, limiting
possible logins per user or IP in a given time frame
A stronger password policy should be enforced,
requiring longer passwords with greater
complexity, greater length, and prohibition of
dictionary words
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
16. Insufficient Data Validation
The “Digital Library” application has no data
validation to prohibit information harvesting
Put the web server in a chroot “jail” to limit access
to system files such as /etc/passwd
Write validation code to ensure that the address
specified is an external web page
Do not print back the contents of a submitted article
to the user
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
18. Presentation Summary
HIPAA is a federal law which protects patients
medical information and records
HIPAA requires access control and role based
authentication to records and resources
Secure coding techniques can prevent many
common attacks through validation and variable
conditioning
Web applications are highly vulnerable to scripting
and automated attacks (and auditing tools)
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
19. Lessons Learned
Most attacks can be avoided with proper
sanitization and code review
Applications should not depend on external sources
(database, client side validation, etc) for validation
Minimize the amount of variability possible from
user input
Build controls into scripts to limit attempts at hacking
or automation
Copyright 2008 Eric Goldman - http://www.ericgoldman.name
20. References
BioPassword, Inc.. (2006). Strong User Authentication and HIPAA Author. Retrieved
Apr. 18, 2008, from
http://www.biopassword.com/library/Strong_User_and_HIPAA.pdf
SHARON W. THORNTON. HENRICO INTERNAL AUDIT. (2006, Jan. 18). DETAILED
AUDIT TESTING STEPS FOR HIPAA SECURITY RULE COMPLIANCE. HENRICO, VA:
Retrieved Apr. 18, 2008, from http://www.co.henrico.va.us/audit/
P. M. (2003). HIPAA security regulations: Protecting patients’ electronic health
information. The Journal of the American Dental Association, 134(5), 640-643.
Retrieved May 5, 2008, from http://jada.ada.org/cgi/content/full/134/5/640
(2007, Dec. 10). Security Standards: Implementation for the Small Provider.
HIPAA Security Series, 2(7), 1-12. Retrieved May 5, 1986, from
http://www.cms.hhs.gov/EducationMaterials/Downloads/SmallProvider4final.pdf
Copyright 2008 Eric Goldman - http://www.ericgoldman.name