Auditing web servers for HIPAA compliance - §164.312(a)(1)

AUDITING WEB SERVERS
FOR HIPAA COMPLIANCE
HIPAA § 164.312(a)(1)

Agenda
I. Overview of HIPAA
II. In-depth Analysis of Section 164.312(a)(1)
III. Introduction to Testbed
IV. Auditing Procedures
V. Testbed Demonstration
VI. Making the Testbed Compliant
VII. Summary
VIII. Lessons Learned
IX. References
Copyright 2008 Eric Goldman - http://www.ericgoldman.name

HIPAA
The
Health Insurance Portability & Accountability Act

US Federal Law, Enacted 1996


Overview of HIPAA
 Enacted to create a national standard for
protecting patients’ private health information
 Requires healthcare entities that use electronic
processing to comply with standard forms & codes
 Requires the implementation of new safeguards to
protect stored information and medical records
 Compliance is enforced by auditing and heavy
penalties can be levied for non-compliance


Section 164.312(a)(1)
 HIPAA is a comprehensive law which effects both
technical and non-technical aspects of healthcare
 The HIPAA Security Rule consists of three sections:
Administrative, Physical, & Technical Safeguards
 Section 164.312(a)(1) is a technical safeguard
which deals with access control, and is a required
part of the HIPAA standard


Section 164.312(a)(1)
The Policy Statement for this section is as follows:

Standard: Access control. Implement technical policies
and procedures for electronic information systems
that maintain electronic protected health
information to allow access only to those persons or
software programs that have been granted access
rights as specified in Sec. 164.308(a)(4).


The Testbed
An emulation of a Hospital Intranet Web Server


Introduction to Testbed
 Testbed was created and deployed in virtual
machine (VMWARE)
 Operating System: Ubuntu Linux Server 7.10
 HTTP Server: Apache 2.2.4
 Database: MySQL 5.0.45
 Web Application Language: PHP 5.2.3
 Applications were written from scratch to emulate
real world situations on a hospital’s intranet server


Introduction to Testbed
Two applications were written for this Testbed
 Secure Medial Database: A HTML login form used

to login to one of the hospital’s record systems. Uses
POST method for submission and retrieves records
from MySQL database.
 Digital Library: A web form to submit medical

articles found on the Internet for cataloguing by the
hospital librarian. Uses POST method and PHP
file_get_contents() function.


Auditing Procedures
 For this testbed, a blind audit was not assumed.
Attacks were crafted to take advantage of visible
flaws in the source code of the applications.
 Most attacks were performed manually, using
certain input values in order to audit for a given
weakness. For the demo, JavaScript was used to fill
in the forms for each demonstration.
 In order to test password strength, a custom Perl
script was written. Similar results could be obtained
with AppScan, Brutus, AccessDiver, etc.

Auditing Procedures
 The exploits chosen for each web application were
developed in order to demonstrate common coding
practices which should be considered insecure
 The exploits in this demonstration are focused on
the actual end user web application and not the
services or programs which execute the code and
serve the pages
 The goal is to demonstrate how to analyze web
application code for exploitable flaws


Testbed Demonstration
The following will show and explain the
vulnerabilities in our web applications

Video is embedded through SlideShare,
or view at:


Meeting Compliance
Suggestions to improve the web applications to
ensure compliance with HIPAA


Prevent SQL Injection attacks
 On the “Secure Medical Database”, the
authentication validation is performed by MySQL
 The query should request the password for a given
user, then compare to the submitted value in PHP
 This methodology makes sure that all values are set
and that the POST values are compared to values
stored in the database
 Enabling magic_quotes in the PHP configuration
would prevent the injection from being processed

Prevent Brute Force Password Cracking
 There is nothing in the script which prevents or limits
a scripted attack on the password form
 A captcha image would provide a unique variable
for each login, severely complicating scripting
 A lockout mechanism should also be coded, limiting
possible logins per user or IP in a given time frame
 A stronger password policy should be enforced,
requiring longer passwords with greater
complexity, greater length, and prohibition of
dictionary words

Insufficient Data Validation
 The “Digital Library” application has no data
validation to prohibit information harvesting
 Put the web server in a chroot “jail” to limit access
to system files such as /etc/passwd
 Write validation code to ensure that the address
specified is an external web page
 Do not print back the contents of a submitted article
to the user


Summary
Presentation Review, Lessons Learned, References


Presentation Summary
 HIPAA is a federal law which protects patients
medical information and records
 HIPAA requires access control and role based
authentication to records and resources
 Secure coding techniques can prevent many
common attacks through validation and variable
conditioning
 Web applications are highly vulnerable to scripting
and automated attacks (and auditing tools)

Lessons Learned
 Most attacks can be avoided with proper
sanitization and code review
 Applications should not depend on external sources
(database, client side validation, etc) for validation
 Minimize the amount of variability possible from
user input
 Build controls into scripts to limit attempts at hacking
or automation


References
 BioPassword, Inc.. (2006). Strong User Authentication and HIPAA Author. Retrieved
Apr. 18, 2008, from
http://www.biopassword.com/library/Strong_User_and_HIPAA.pdf
 SHARON W. THORNTON. HENRICO INTERNAL AUDIT. (2006, Jan. 18). DETAILED
AUDIT TESTING STEPS FOR HIPAA SECURITY RULE COMPLIANCE. HENRICO, VA:
Retrieved Apr. 18, 2008, from http://www.co.henrico.va.us/audit/
 P. M. (2003). HIPAA security regulations: Protecting patients’ electronic health
information. The Journal of the American Dental Association, 134(5), 640-643.
Retrieved May 5, 2008, from http://jada.ada.org/cgi/content/full/134/5/640
 (2007, Dec. 10). Security Standards: Implementation for the Small Provider.
HIPAA Security Series, 2(7), 1-12. Retrieved May 5, 1986, from
http://www.cms.hhs.gov/EducationMaterials/Downloads/SmallProvider4final.pdf


Auditing web servers for HIPAA compliance - §164.312(a)(1)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Auditing web servers for HIPAA compliance - §164.312(a)(1)

Similar to Auditing web servers for HIPAA compliance - §164.312(a)(1) (20)

More from Eric Goldman

More from Eric Goldman (6)

Recently uploaded

Recently uploaded (20)

Auditing web servers for HIPAA compliance - §164.312(a)(1)