Auditing web servers for HIPAA compliance - §164.312(a)(1)

1. AUDITING WEB SERVERS FOR HIPAA COMPLIANCE HIPAA § 164.312(a)(1)

2. Agenda I. Overview of HIPAA II. In-depth Analysis of Section 164.312(a)(1) III. Introduction to Testbed IV. Auditing Procedures V. Testbed Demonstration VI. Making the Testbed Compliant VII. Summary VIII. Lessons Learned IX. References Copyright 2008 Eric Goldman - http://www.ericgoldman.name

4. Overview of HIPAA  Enacted to create a national standard for protecting patients’ private health information  Requires healthcare entities that use electronic processing to comply with standard forms & codes  Requires the implementation of new safeguards to protect stored information and medical records  Compliance is enforced by auditing and heavy penalties can be levied for non-compliance Copyright 2008 Eric Goldman - http://www.ericgoldman.name

5. Section 164.312(a)(1)  HIPAA is a comprehensive law which effects both technical and non-technical aspects of healthcare  The HIPAA Security Rule consists of three sections: Administrative, Physical, & Technical Safeguards  Section 164.312(a)(1) is a technical safeguard which deals with access control, and is a required part of the HIPAA standard Copyright 2008 Eric Goldman - http://www.ericgoldman.name

6. Section 164.312(a)(1) The Policy Statement for this section is as follows: Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). Copyright 2008 Eric Goldman - http://www.ericgoldman.name

8. Introduction to Testbed  Testbed was created and deployed in virtual machine (VMWARE)  Operating System: Ubuntu Linux Server 7.10  HTTP Server: Apache 2.2.4  Database: MySQL 5.0.45  Web Application Language: PHP 5.2.3  Applications were written from scratch to emulate real world situations on a hospital’s intranet server Copyright 2008 Eric Goldman - http://www.ericgoldman.name

9. Introduction to Testbed Two applications were written for this Testbed  Secure Medial Database: A HTML login form used to login to one of the hospital’s record systems. Uses POST method for submission and retrieves records from MySQL database.  Digital Library: A web form to submit medical articles found on the Internet for cataloguing by the hospital librarian. Uses POST method and PHP file_get_contents() function. Copyright 2008 Eric Goldman - http://www.ericgoldman.name

10. Auditing Procedures  For this testbed, a blind audit was not assumed. Attacks were crafted to take advantage of visible flaws in the source code of the applications.  Most attacks were performed manually, using certain input values in order to audit for a given weakness. For the demo, JavaScript was used to fill in the forms for each demonstration.  In order to test password strength, a custom Perl script was written. Similar results could be obtained with AppScan, Brutus, AccessDiver, etc. Copyright 2008 Eric Goldman - http://www.ericgoldman.name

11. Auditing Procedures  The exploits chosen for each web application were developed in order to demonstrate common coding practices which should be considered insecure  The exploits in this demonstration are focused on the actual end user web application and not the services or programs which execute the code and serve the pages  The goal is to demonstrate how to analyze web application code for exploitable flaws Copyright 2008 Eric Goldman - http://www.ericgoldman.name

12. Testbed Demonstration The following will show and explain the vulnerabilities in our web applications Video is embedded through SlideShare, or view at: youtube.com/watch?v=LPOitu2B9kk Copyright 2008 Eric Goldman - http://www.ericgoldman.name

14. Prevent SQL Injection attacks  On the “Secure Medical Database”, the authentication validation is performed by MySQL  The query should request the password for a given user, then compare to the submitted value in PHP  This methodology makes sure that all values are set and that the POST values are compared to values stored in the database  Enabling magic_quotes in the PHP configuration would prevent the injection from being processed Copyright 2008 Eric Goldman - http://www.ericgoldman.name

15. Prevent Brute Force Password Cracking  There is nothing in the script which prevents or limits a scripted attack on the password form  A captcha image would provide a unique variable for each login, severely complicating scripting  A lockout mechanism should also be coded, limiting possible logins per user or IP in a given time frame  A stronger password policy should be enforced, requiring longer passwords with greater complexity, greater length, and prohibition of dictionary words Copyright 2008 Eric Goldman - http://www.ericgoldman.name

16. Insufficient Data Validation  The “Digital Library” application has no data validation to prohibit information harvesting  Put the web server in a chroot “jail” to limit access to system files such as /etc/passwd  Write validation code to ensure that the address specified is an external web page  Do not print back the contents of a submitted article to the user Copyright 2008 Eric Goldman - http://www.ericgoldman.name

18. Presentation Summary  HIPAA is a federal law which protects patients medical information and records  HIPAA requires access control and role based authentication to records and resources  Secure coding techniques can prevent many common attacks through validation and variable conditioning  Web applications are highly vulnerable to scripting and automated attacks (and auditing tools) Copyright 2008 Eric Goldman - http://www.ericgoldman.name

19. Lessons Learned  Most attacks can be avoided with proper sanitization and code review  Applications should not depend on external sources (database, client side validation, etc) for validation  Minimize the amount of variability possible from user input  Build controls into scripts to limit attempts at hacking or automation Copyright 2008 Eric Goldman - http://www.ericgoldman.name

20. References  BioPassword, Inc.. (2006). Strong User Authentication and HIPAA Author. Retrieved Apr. 18, 2008, from http://www.biopassword.com/library/Strong_User_and_HIPAA.pdf  SHARON W. THORNTON. HENRICO INTERNAL AUDIT. (2006, Jan. 18). DETAILED AUDIT TESTING STEPS FOR HIPAA SECURITY RULE COMPLIANCE. HENRICO, VA: Retrieved Apr. 18, 2008, from http://www.co.henrico.va.us/audit/  P. M. (2003). HIPAA security regulations: Protecting patients’ electronic health information. The Journal of the American Dental Association, 134(5), 640-643. Retrieved May 5, 2008, from http://jada.ada.org/cgi/content/full/134/5/640  (2007, Dec. 10). Security Standards: Implementation for the Small Provider. HIPAA Security Series, 2(7), 1-12. Retrieved May 5, 1986, from http://www.cms.hhs.gov/EducationMaterials/Downloads/SmallProvider4final.pdf Copyright 2008 Eric Goldman - http://www.ericgoldman.name