Академический Документы
Профессиональный Документы
Культура Документы
2556
2554
guidelines for implementation. Therefore with no clear healthcare providers to follow to enable the secure,
direction, successfully achieving the requirements can electronic exchange of EHR data. All aspects of
be quite challenging. security are addressed including both strategic and
While healthcare providers are undoubtedly operational aspects of the transmission process and
attracted to participate in the HHS Meaningful Use how to test its effectiveness in order to complete the
programs for the financial benefits, many providers required Meaningful Use attestation.
have not been able to capitalize on the opportunity.
The Centers for Medicare & Medicaid Services (CMS) 3. EHR Security Implementation
released a number of reports in June 2012 that detailed
how the incentive programs have performed through Although all 3 EHR security areas have a certain
May 2012 [6]. Based on the CMS reports, nationally amount of overlapping considerations, the actual
only slightly better than a 35% of all healthcare transmission of ePHI is the primary focus of this
providers that have registered for the incentive research and storage and access will be considered out
programs are actually receiving the benefits of the of scope.
Medicare program. Further, just over 50% are
receiving benefits for the Medicaid program. With 3.1. Network Segregation
such a variance between the number of providers that
have registered for the programs and those that have How transmissions are secured depends on what
met the requirements, it is clear that EHR adoption and network area they are originating from and to which
its related security are considerable challenges. network area they are destined. The path the
HealthLeaders Media rated EHR adoption, specifically transmission takes will vary the exposure that
meeting MU requirements, the #8 issue for healthcare transmission has to interception and misdirection. This
providers in the United States in 2011 [7]. Similarly, research addresses 4 primary network types:
PricewaterhouseCoopers predicts that privacy and o Green Internal LAN
security, particularly as it relates to the sharing of o Orange Demilitarized Zone (DMZ)
medical data for coordination of service, is the #6 top o Blue Wireless LAN
issue faced by the healthcare community in 2012 [8]. o Red External LAN
This research aims to lessen those challenges by
providing a comprehensive implementation guide for
WAP
Firewall
Data
Center
DMZ Internal LAN 1
Healthcare
Healthcare Provider
Provider
(Hospital) VPN Connection
(Hospital)
Encrypted Outbound
Encrypted Inbound
Physician
INTERNET
Patient
at Home
Remote
Physician
Physician Practice
at Home
Healthcare Payer State/Federal Agency
(Insurance) (CMS)
2557
2555
The very first step in transmission security is to 3.2. Wireless Connections
create a basic boundary protection layer within the
organizations network topology. Protection through The nature of wireless connections creates an
segregation or segmentation is a fundamental approach unparalleled flexibility for connectivity with regard to
that is extremely effective. In fact, a data centers physical location and power sources. Unfortunately
highest level of protection is provided at its network the same transmission medium that grants these
edges or boundaries [9]. Network segmentation is benefits is inherently insecure due to the inability to
established by grouping the organizations physical restrict where the transmission travels and therefore
connections by their relative security requirements and who can receive or intercept it. While measures are
risks. By default, network segments should have no available to minimize wireless vulnerabilities, it should
inter-connectivity. Based on operational needs, these be regarded as an insecure medium and only used for
restrictions can be modified to allow specific access such applications and services that are tolerant to the
between segments. A common and effective network intrinsic risk. For those wireless access points (WAP)
segmentation technique is the creation of a DMZ. The deemed necessary, a process should be established for
DMZ is essentially the part(s) of the organizations documenting the location, range, and use of each
network that is most exposed to both internal and access point. All wireless communications should be
external connections. As such, the connectivity utilizing the 802.11i standard as it is the only wireless
between the DMZ network segment and the internal encryption method approved by the Federal
network segments should be at a bare minimum as Information Processing Standards (FIPS) agency [12].
depicted in Figure 1. The National Institute for Only known, registered wireless hosts should have
Standards and Technology (NIST) recommends that all direct connectivity to internal network segments. The
publicly accessible systems, particularly web servers wireless access points should be on segregated
be located in a DMZ and not in the Green networks networks similar to a DMZ. The location and
where sensitive data is stored [10]. Therefore all placement of wireless access points should minimize
publically accessible systems are located in the DMZ the broadcast range of the SSID beyond the physical
and only the DMZ is accessible directly by external perimeter of the building and any other unnecessary
hosts. locations to minimize potential exposure [12].
2558
2556
peripheral application, like Email, or the application devices as well as a stand-alone IDPS application.
being used is a home-grown application [14]. Monitoring and logging the network traffic and events
Internally developed applications and processes usually is a requirement of providing adequate transmission
cannot scrutinize security implications to comparable security of ePHI. The monitoring should be able to
levels of commercial software development respond automatically to detected events as
companies. As such, it is highly recommended to use appropriate. Logs should be maintained for the
commercial applications for all activities involving appropriate length of time for non-repudiation and
ePHI transmissions. Hypertext Transfer Protocol protected from alteration and deletion. Knowing what
(HTTP), Simple Mail Transfer Protocol (SMTP), and is happening on the network as well as having the
File Transfer Protocol (FTP) are the common protocols ability to research what has happened is a critical
used to send ePHI data. All of these protocols have the component to providing a high degree of transmission
capacity to use both unencrypted and encrypted security.
connections. The HIPAA technical safeguards
specifically require all ePHI data to be transmitted 3.5. Usability Considerations
using encryption, regardless of the protocol.
There are fundamental approaches to providing
Electronic mail (Email) is a very common security that are effective across almost all
peripheral applications used by organizational users to environments. However, it is important to
transmit ePHI data. While Email was never directly acknowledge that before making architectural
designed to be a transmission vehicle for ePHI, its decisions related to the technical aspects of
functionality lends itself to be an easy and convenient transmission security, it is imperative that operational
option for many users. Sending ePHI data via Email needs, functional and financial, be considered. It is
can be secure but it introduces considerable complexity easy for the technical staff tasked with the
into an organizations security policies and practices. implementation of the HIPAA technical safeguards to
In order to ensure transmission security using Email, lose sight of how the technology will actually be used
there are 2 basic tactics: policy and technology. in practice. If the chosen measures provide the
Organizations should have policies about how ePHI appropriate levels of security but are impractical to
transmissions should be performed. Data Loss utilize, the overall solution is ineffective. Further, in
Prevention (DLP) systems can be used to review all such cases the likelihood of both intentional and
email transmissions and proactively take action, accidental misuse as well as circumvention of the
regardless of what users do, based on rules set up organizations security mechanisms entirely, will
within the application. Ideally, the solution for most increase dramatically.
organizations should be a hybrid of both approaches.
Users should be trained how to securely send ePHI and 4. EHR Security Testing
when it is appropriate to do so. The DLP system
should serve as an oversight and enforcement system There are considerable challenges to achieving
to satisfy compliance, liability, and legality concerns. adequate security for all ePHI transmissions in and out
When ePHI is transmitted via Email, digital signatures of a healthcare organization. Even after an
and encryption should be employed as a data integrity organization feels an acceptable security level has been
control measure. The DLP system can once again be reached, it is paramount to verify the security measures
used to verify encryption and digital signatures are are functioning as expected. The very first step of any
being used as appropriate by the users. information security test is to define the actual security
objectives for the systems to establish an expected
3.4. Intrusion Detection and Prevention performance baseline. This stage can be very
Systems (IDPS) beneficial to review documentation, examine policies
and procedures, and address any deficiencies. Once
Once the transmission medium has been secured the security objectives have been defined, the next step
and the method and protocols determined for how to is actually creating a test plan or methodology. An
safely move the data, the remaining aspect to address is effective information security testing plan is easily
the actual monitoring of the network for suspicious repeatable. Repetition often allows many issues to be
activities. IDPSs provide many tools and techniques identified through comparative analysis of prior test
to monitor and react to intrusion events, detect and results. Having a well documented and repeatable
mitigate attacks, and provide notification of testing plan will also speed up the testing process, yield
unauthorized system use. An effective IDPS strategy more consistent results, minimize the testing resources
utilizes both the delivered capabilities of the network
2559
2557
needed, and present less risk to the normal business password cracking, and application security testing.
operations of the organization [14]. Unfortunately there is no single, comprehensive test
that can be used to validate all systems and services.
There are two main testing techniques that this This research has focused on consolidating the
research has focused on with regard to EHR security: collection of necessary testing tools to create a
target identification and analysis; and target comprehensive set of tests with the minimal amount of
vulnerability validation. The first type of testing overlap. Further, the tests are preconfigured and
focuses on network discovery, port and service automated to run consecutively and recursively so the
identification, and vulnerability scanning. The other effort to conduct the testing is minimized.
group of testing methods includes penetration testing,
Internal LAN
Pen Test VM1 Pen Test VM2
Ubuntu 11.10 Backtrack 5 R1
Internal
Penetration DMZ
Testing
Firewall
IPFire 2.11
firewall.test.com
External Penetration
Testing
External LAN
Figure 2: Information security testing demonstration environment
2560
2558
channels, Bluetooth, and a general radio frequency password policies are to being compromised. If
(RF) spectrum analyzer [14]. Some sophisticated passwords are determined to be too weak, their entropy
wireless scanners having mapping utilities and support can be increased accordingly.
Global Positioning System (GPS) mapping. Identified VM1 Ubuntu 11.10 - http://www.ubuntu.com/
hosts are further examined using a port scanner to see Nessus 5.0 Vulnerability Scanning - http://www.tenable.com/
which ports appear open, what services are running on products/nessus
those ports, and what OS the hosts are running. The
VM2 BackTrack 5 R2 - http://www.BackTrack-linux.org/
next step is to perform vulnerability scanning.
THC-Hydra Password Cracking http://www.thc.org/thc-
Vulnerability scanners can identify out of date hydra
software, missing patches, misconfigurations, and w3af Web Application Testing (White box, Black box)
mitigation suggestions for issues found. The http://w3af.sourceforge.net/
vulnerability scanning effort does have a number of NMAP Network Enumeration and Port Scanning http://
nmap.org
limitations and weaknesses that are important to
THC-AMAP Protocol Detection http://www.thc.org/thc-
recognize. First, vulnerability scanning is similar to amap/
virus scanning in the sense that it relies on a repository Enum4Linux Windows Enumeration http://
of signatures therefore it can only detect documented labs.portcullis.co.uk/application/enum4linux/
issues and requires frequent updating of the repository. OneSixtyOne SNMP Scanning http://www.phreedom.org/
software/onesixtyone/
Secondly, it tends to have a high false positive error Bluediving Bluetooth Penetration Testing http://
rate and requires a fairly experienced networking and bluediving.sourceforge.net/
OS security individual to effectively interpret the AirCrack Wireless Penetration Testing http://
results. These conditions limit the scanning process www.aircrack-ng.org/
since there are significant portions that cannot be Swaks SMTP Testing http://www.jetmore.org/john/code/
swaks/
automated and are labor intensive. At the conclusion SSLScan Encryption Testing http://sourceforge.net/
of vulnerability scanning, the first phase of testing will projects/sslscan/
have generated a comprehensive report of all
connected systems and pertinent information including Table 1: Security testing VM configurations
OS, active services, and vulnerabilities they possess.
The final type of testing performed is directed
specifically at the applications that collect, interact
4.2. Target Vulnerability Validation with, or transmit ePHI data. Application testing should
The next stage will continue to search for involve both white box and black box approaches.
additional vulnerabilities and demonstrate the risks White box testing uses an insider approach with attacks
created when they are exploited. The first type of and tests performed assuming a working understanding
testing performed is penetration testing. This testing of how the application works. Black box testing takes
simulates real-world attacks by showing how the the opposite approach as it assumes the attack is
system, application, or network will respond to an external and has no knowledge of the application.
actual attack. Penetration testing can also help provide Both types of tests and attacks should include injection
information about how to detect an attack, how to attacks, data corruption attempts, or attempted misuse
appropriately respond, and create effective of the application outside of published policies and
countermeasures. Unfortunately, penetration testing is procedures. The vulnerability validation testing phase
very labor intensive, similar to vulnerability scanning. is used to evaluate systems during actual use. The
Likewise, it requires someone with considerable skill more realistic the conditions in which the tests are
to perform the testing successfully without damaging performed, the more beneficial the results of the tests
the targeted systems. Following penetration testing, a will be to identifying potential risks.
series of password cracking tests should be performed.
Password attacks have a couple general approaches: 5. Research Validation
dictionary attacks, brute force, and rainbow table
attacks. In most cases, password cracking is performed In order to verify the effectiveness of this research,
by obtaining the hash of the actual password then using it was vital that both the EHR transmission security
a variety of approaches to generate a matching hash, guide and security testing tools be employed in an
thus discovering the actual password. Unlike actual healthcare environment. Using the fully
penetration testing, password cracking can usually be functional testing environment shown in Figure 2, a
performed offline with little to no impact on the target partnering HIMSS Stage 6 [15] hospital served as the
system, network, or application. The purpose of subject for conducting validation of the proposed
password cracking is to identify how susceptible research. The tester VMs were replicated and
2561
2559
integrated into the hospitals environment. A battery Additionally, exceptions may have been built-in to
of tests that simulated ePHI data transmissions were processes that circumvent the safeguards the
then conducted in the hospitals test environment. components could normally exert. There were 2
Numerous high and medium level vulnerabilities were specific business processes that received extra scrutiny
identified. The tests involved standalone scans using during the security testing: authentication into an EHR
each tool as well business process testing. While from a remote physician practice; and entering ePHI
examining each component of an IT environment into the EHR system from a remote physician practice.
should be tested individually, it is also important to The partnering hospital has many physicians that have
examine entire processes. Process testing verifies each offsite private practice locations in addition their
individual technology component is being used facilities at the hospital campus. As such, the hospital
appropriately during normal business practices. It is wants their physicians access and functionality to be
possible that not all security capabilities of each ubiquitous but uniformly secure.
component are actually employed in practice.
AIRCRACK
Remote Office
(Network Segment)
WPA2
Healthcare Credentials WAP
Laptop (Encrypted Wireless
Provider submitted (Network Device)
Connection)
Hosptial Networks
NMAP
Firewall
EHR Access
(Network Device)
Granted
AMAP
In the first test case, authenticating into the EHR to use WPA2 encryption, thereby mitigating this risk.
system remotely, the fundamental control was the The testing then followed the transmission path from
credentials required by the EHR system itself. the WAP to the main hospitals network and the next
However by modeling the information flow, Figure 3, control mechanism - the network firewall. The
there were in fact a significant number of other firewall routed the transmission to the EHR systems
controls present in the transaction that required web server, which was located in the hospitals
testing. This scenario simulated a physician demilitarized zone (DMZ). Using NMAP and
connecting to the EHR system using their laptop in AMAP, it was determined that the firewall was
their private practice location. The transmission properly segmenting the internal network, which
encryption used by the wireless access points (WAP) holds the EHR database, from external networks.
was the first control mechanism. Using AirCrack, it Further, the firewall was properly routing
was quickly determined that many of the WAPs transmissions to the web server located in the DMZ.
within the physician practice offices were using the This series of tests also verified that the EHR system
WPA encryption scheme. WPA encryption has been was properly configured with a 2-tier architecture in
repeatedly proven vulnerable to attacks and there are which the web server and database server reside on
tools readily available to compromise its encryption. separate physical servers, on segregated network
The recommendation was to use a FIPS-approved segments. The next control point was the HTTP
wireless encryption 802.11i standard, such as WPA2. encryption used by the web servers. The presence
The hospital and remote locations were able to and type of SSL ciphers used by the web servers was
quickly respond to this finding and change all WAPs examined using SSLScan. The tests concluded that
2562
2560
only SSL connections were allowed for HTTP traffic thus demonstrating passwords with a weak
and 1024 bit SSL certificates were being utilized, complexity were present. The organization was able
which is an acceptable level. The transmission of the to quickly respond to the finding and implement
credentials was then forwarded by the web server to complexity controls that met the NIST guidelines for
the EHR database for validation. This control point password entropy. Another issue discovered that
was tested by examining the EHR application, raised special concern was that the EHR system did
eClinicalWorks, to verify it was indeed accepting not differentiate how authentication was managed
valid credentials and rejecting invalid credentials. As directly to the database or within the application.
part of the credential validation, not only was the Direct database access should be extremely restricted
username and password pair examined for accuracy, for administrative activities only. The organization
but also integrity checks such as password expiration, was able to quickly remedy this issue. At this point
prior invalid authentication attempts by the same all controls were satisfied in the information flow and
user, and data/application authorization were access was granted to the EHR system. Subsequently
performed. Additionally, this control point was the HTTP rendering of the EHR application was
tested using THC-Hydra, a password cracking tool, to transmitted back to the user from the web server,
verify the configured password entropy was following the same transmission path as the inbound
acceptable. After running extended tests using THC- request.
Hydra, a number of passwords were compromised
Remote Office
(Network Segment)
Hosptial Networks
NMAP
ePHI data is Firewall
captured (Network Device)
AMAP
Access SSLScan
eClinicalWorks eClinincalWorks
sqlmap permissions
(Database Server) (Web Server)
verified
w3af
Internal LAN DMZ
(Network Segment) (Network Segment)
Application
Authorizations
The second test case, Figure 4, was focused control mechanism was the security framework of the
specifically on the action of adding, editing, or application where permissions and authorizations are
deleting ePHI from a remote location. This scenario defined about what data each individual could access
assumed the authentication event had already and what activities they could perform. These tests
occurred and the physician has already been granted consisted of making sure that the actual permissions
access to the EHR application. The significant set up for users and groups matched what was
difference between the first and second case is that intended. There was also an examination of whether
the data flow in this scenario was inbound instead of data and functionality access was minimized as much
outbound. The objectives of the NMAP, AMAP, and as operationally possible. This analysis discovered
SSLScan tests were identical to the first test case, as numerous cases were users had privileges to
were the findings and mitigating actions. Different view/add/edit/delete data, run reports, and alter
than the first case, this scenario included a series application parameters although these abilities were
white box and black box tests using w3af. These not needed to perform their routine job duties. With
tests of the web server control point were aimed at these findings, the organization was able to quickly
discovering flaws in the applications design that restructure certain security groups within the EHR
allowed a user to gain unauthorized access to application to ensure privileges were only granted as
functionality or data within the application. Being a necessary for staff to perform their jobs. After the
certified EHR application, eClinicalWorks did not application authorizations were verified, the last
have any evident exploits or vulnerabilities. The next control point was within the EHR database. The
2563
2561
database control point verifies the data to be entered Records. New England Journal of Medicine, 363, 501-504.
is properly formatted and the proper data type. Using doi:10.1056/NEJMp1006114.
the sqlmap tool, the database was tested for [3] United States. Department of Health and Human
unauthorized access, privilege escalation, and data Services, CMS EHR Meaningful Use Overview,
retrieved June 2012, https://www.cms.gov/Regulations-and
integrity. Once again, being a certified EHR Guidance/Legislation/EHRIncentivePrograms/Meaningful_
application, eClinicalWorks did not have any evident Use.html.
exploits or vulnerabilities with its database. With the [4] HIMSS. (2012). Electronic Health Record (EHR),
data integrity verified, all controls were satisfied and last accessed on May 2012,
the data was committed to the EHR database. Some http://www.webcitation.org/6A1XNUubm.
other, less complex business processes were similarly [5] United States. Department of HHS. The Office of the
tested. Following these process tests and the National Coordinator for Health Information Technology.
individual tool scans, a comprehensive mitigation (2011). Incentive Programs for EHRs, retrieved June
strategy and implementation plan was submitted to 2012,
http://healthit.hhs.gov/portal/server.pt/community/healthit_
the organization. This plan assisted the partner hhs_gov__incentive_programs_for_electronic_health_recor
hospital in implementing the necessary security ds_%28ehrs%29/3355.
safeguards required by HIPAA and the Meaningful [6] United States. Department of HHS. CMS. (2012).
Use objectives. Ultimately the evaluation and Data and Reports, retrieved July 2012,
corrective actions allowed the organization to meet https://www.cms.gov/Regulations-and-
the Meaningful Use Stage 1 attestation requirements Guidance/Legislation/EHRIncentivePrograms/DataAndRep
and become eligible for the programs incentive orts.html.
payments. [7] Clark, C. (2011). Top 10 Healthcare Quality Issues for
2011. HealthLeaders Media, retrieved June 2012,
http://www.webcitation.org/6A1XB4Hc3.
6. Conclusions [8] PricewaterhouseCoopers Health Research Institute.
(2011). Top Health Industry Issues of 2012, retrieved
The exchange of electronic health records May 2012, http://www.webcitation.org/6A1Wzsrlj.
promises the potential for immense benefits for [9] Gibbs, M. & Quillen, H. (2007). The Medical-Grade
healthcare providers and the individual alike. This Network: Helping Transform Healthcare, retrieved
ability offers vast possibilities for collaborative and August 2012, http://www.webcitation.org/6A1Wip07P.
integrated partnerships between healthcare providers [10] United States. Department of Commerce. NIST.
and patients. The challenge of ensuring security and (2007). Guidelines on Securing Public Web Servers,
retrieved June 2012,
privacy is critical to the success of this collaboration. http://csrc.nist.gov/publications/nistpubs/800-44-
Further, securely transmitting ePHI to patients, other ver2/SP800-44v2.pdf.
providers, payers, and/or government bodies is [11] United States. Department of Commerce. NIST.
required for healthcare providers to meet compliance (2009). Guidelines on Firewalls and Firewall Policy,
regulations such as HIPAA and the Meaningful Use retrieved June 2012,
objectives. This research provides a comprehensive http://csrc.nist.gov/publications/nistpubs/800-41-
roadmap for healthcare providers to satisfy these Rev1/sp800-41-rev1.pdf.
requirements. Additionally the suite of tools and [12] United States. Department of Commerce. NIST.
security testing plan facilitates the evaluation and (2012). Guidelines for Securing Wireless Local Area
Networks (WLANs), retrieved June 2012,
basis for attestation of an organizations systems. http://csrc.nist.gov/publications/nistpubs/800-153/sp800-
The contributions of this research have been 153.pdf.
demonstrated at a national healthcare provider. The [13] United States. Department of Commerce. NIST.
organizations security and privacy have been (2011). Recommendation for Key Management, Part 1:
dramatically improved and was ultimately awarded General (rev 3, draft), retrieved December 2011,
the Meaningful Use Stage 1 certification. http://csrc.nist.gov/publications/drafts/800-
57/Draft_SP800-57-Part1-Rev3_May2011.pdf.
[14] United States. Department of Commerce. NIST.
7. References (2008). Technical Guide to Information Security Testing
and Assessment, retrieved June 2012,
[1] United States. National Archives and Records http://csrc.nist.gov/publications/nistpubs/800-115/SP800-
Administration. (1996). Title 45 Public Welfare, 115.pdf.
Subtitle A Department of HHS, Part 164 Security and [15] HIMSS Analytics. (2011). EMR Adoption Model,
Privacy, retrieved April 2012, last accessed on November 2011,
http://www.access.gpo.gov/nara/cfr/waisidx_07/45cfr164_ http://www.webcitation.org/6A1XGCtkJ.
07.html.
[2] Blumenthal, D., & Tavenner, M. (2010). The
Meaningful Use Regulation for Electronic Health
2564
2562