Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Auditing web servers for HIPAA compliance - §164.312(a)(1)

7 585 vues

Publié le

This presentation provides an overview of HIPAA (Health Insurance Portability and Accountability Act) from a technical standpoint, and the requirements it places upon a business. Specifically, this presentation addresses HIPAA § 164.312(a)(1). The presentation covers the requirements of this area of the law. In order to demonstrate the requirements, a test environment was built and some application mock-ups were created (intentionally vulnerable) in order to demonstrate what an auditor needs to look for, why the law requires this, and how to address such issues. The testbed demonstration also provides a good primer on SQL injection, password cracking, and file inclusion vulnerabilities. The presentation steps through many of these aspects in detail. The demonstration is embedded from YouTube, and is available in higher quality there. The presentation concludes with some hints and lessons learned through the process. You can get more information on this presentation, demo, and related materials by visiting http://www.ericgoldman.name

Publié dans : Technologie

Auditing web servers for HIPAA compliance - §164.312(a)(1)

  2. 2. Agenda I. Overview of HIPAA II. In-depth Analysis of Section 164.312(a)(1) III. Introduction to Testbed IV. Auditing Procedures V. Testbed Demonstration VI. Making the Testbed Compliant VII. Summary VIII. Lessons Learned IX. References Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  3. 3. HIPAA The Health Insurance Portability & Accountability Act US Federal Law, Enacted 1996 Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  4. 4. Overview of HIPAA  Enacted to create a national standard for protecting patients’ private health information  Requires healthcare entities that use electronic processing to comply with standard forms & codes  Requires the implementation of new safeguards to protect stored information and medical records  Compliance is enforced by auditing and heavy penalties can be levied for non-compliance Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  5. 5. Section 164.312(a)(1)  HIPAA is a comprehensive law which effects both technical and non-technical aspects of healthcare  The HIPAA Security Rule consists of three sections: Administrative, Physical, & Technical Safeguards  Section 164.312(a)(1) is a technical safeguard which deals with access control, and is a required part of the HIPAA standard Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  6. 6. Section 164.312(a)(1) The Policy Statement for this section is as follows: Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  7. 7. The Testbed An emulation of a Hospital Intranet Web Server Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  8. 8. Introduction to Testbed  Testbed was created and deployed in virtual machine (VMWARE)  Operating System: Ubuntu Linux Server 7.10  HTTP Server: Apache 2.2.4  Database: MySQL 5.0.45  Web Application Language: PHP 5.2.3  Applications were written from scratch to emulate real world situations on a hospital’s intranet server Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  9. 9. Introduction to Testbed Two applications were written for this Testbed  Secure Medial Database: A HTML login form used to login to one of the hospital’s record systems. Uses POST method for submission and retrieves records from MySQL database.  Digital Library: A web form to submit medical articles found on the Internet for cataloguing by the hospital librarian. Uses POST method and PHP file_get_contents() function. Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  10. 10. Auditing Procedures  For this testbed, a blind audit was not assumed. Attacks were crafted to take advantage of visible flaws in the source code of the applications.  Most attacks were performed manually, using certain input values in order to audit for a given weakness. For the demo, JavaScript was used to fill in the forms for each demonstration.  In order to test password strength, a custom Perl script was written. Similar results could be obtained with AppScan, Brutus, AccessDiver, etc. Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  11. 11. Auditing Procedures  The exploits chosen for each web application were developed in order to demonstrate common coding practices which should be considered insecure  The exploits in this demonstration are focused on the actual end user web application and not the services or programs which execute the code and serve the pages  The goal is to demonstrate how to analyze web application code for exploitable flaws Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  12. 12. Testbed Demonstration The following will show and explain the vulnerabilities in our web applications Video is embedded through SlideShare, or view at: youtube.com/watch?v=LPOitu2B9kk Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  13. 13. Meeting Compliance Suggestions to improve the web applications to ensure compliance with HIPAA Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  14. 14. Prevent SQL Injection attacks  On the “Secure Medical Database”, the authentication validation is performed by MySQL  The query should request the password for a given user, then compare to the submitted value in PHP  This methodology makes sure that all values are set and that the POST values are compared to values stored in the database  Enabling magic_quotes in the PHP configuration would prevent the injection from being processed Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  15. 15. Prevent Brute Force Password Cracking  There is nothing in the script which prevents or limits a scripted attack on the password form  A captcha image would provide a unique variable for each login, severely complicating scripting  A lockout mechanism should also be coded, limiting possible logins per user or IP in a given time frame  A stronger password policy should be enforced, requiring longer passwords with greater complexity, greater length, and prohibition of dictionary words Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  16. 16. Insufficient Data Validation  The “Digital Library” application has no data validation to prohibit information harvesting  Put the web server in a chroot “jail” to limit access to system files such as /etc/passwd  Write validation code to ensure that the address specified is an external web page  Do not print back the contents of a submitted article to the user Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  17. 17. Summary Presentation Review, Lessons Learned, References Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  18. 18. Presentation Summary  HIPAA is a federal law which protects patients medical information and records  HIPAA requires access control and role based authentication to records and resources  Secure coding techniques can prevent many common attacks through validation and variable conditioning  Web applications are highly vulnerable to scripting and automated attacks (and auditing tools) Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  19. 19. Lessons Learned  Most attacks can be avoided with proper sanitization and code review  Applications should not depend on external sources (database, client side validation, etc) for validation  Minimize the amount of variability possible from user input  Build controls into scripts to limit attempts at hacking or automation Copyright 2008 Eric Goldman - http://www.ericgoldman.name
  20. 20. References  BioPassword, Inc.. (2006). Strong User Authentication and HIPAA Author. Retrieved Apr. 18, 2008, from http://www.biopassword.com/library/Strong_User_and_HIPAA.pdf  SHARON W. THORNTON. HENRICO INTERNAL AUDIT. (2006, Jan. 18). DETAILED AUDIT TESTING STEPS FOR HIPAA SECURITY RULE COMPLIANCE. HENRICO, VA: Retrieved Apr. 18, 2008, from http://www.co.henrico.va.us/audit/  P. M. (2003). HIPAA security regulations: Protecting patients’ electronic health information. The Journal of the American Dental Association, 134(5), 640-643. Retrieved May 5, 2008, from http://jada.ada.org/cgi/content/full/134/5/640  (2007, Dec. 10). Security Standards: Implementation for the Small Provider. HIPAA Security Series, 2(7), 1-12. Retrieved May 5, 1986, from http://www.cms.hhs.gov/EducationMaterials/Downloads/SmallProvider4final.pdf Copyright 2008 Eric Goldman - http://www.ericgoldman.name