Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Auditing web servers for HIPAA compliance - §164.312(a)(1)


Published on

This presentation provides an overview of HIPAA (Health Insurance Portability and Accountability Act) from a technical standpoint, and the requirements it places upon a business. Specifically, this presentation addresses HIPAA § 164.312(a)(1). The presentation covers the requirements of this area of the law. In order to demonstrate the requirements, a test environment was built and some application mock-ups were created (intentionally vulnerable) in order to demonstrate what an auditor needs to look for, why the law requires this, and how to address such issues. The testbed demonstration also provides a good primer on SQL injection, password cracking, and file inclusion vulnerabilities. The presentation steps through many of these aspects in detail. The demonstration is embedded from YouTube, and is available in higher quality there. The presentation concludes with some hints and lessons learned through the process. You can get more information on this presentation, demo, and related materials by visiting

Published in: Technology

Auditing web servers for HIPAA compliance - §164.312(a)(1)

  2. 2. Agenda I. Overview of HIPAA II. In-depth Analysis of Section 164.312(a)(1) III. Introduction to Testbed IV. Auditing Procedures V. Testbed Demonstration VI. Making the Testbed Compliant VII. Summary VIII. Lessons Learned IX. References Copyright 2008 Eric Goldman -
  3. 3. HIPAA The Health Insurance Portability & Accountability Act US Federal Law, Enacted 1996 Copyright 2008 Eric Goldman -
  4. 4. Overview of HIPAA  Enacted to create a national standard for protecting patients’ private health information  Requires healthcare entities that use electronic processing to comply with standard forms & codes  Requires the implementation of new safeguards to protect stored information and medical records  Compliance is enforced by auditing and heavy penalties can be levied for non-compliance Copyright 2008 Eric Goldman -
  5. 5. Section 164.312(a)(1)  HIPAA is a comprehensive law which effects both technical and non-technical aspects of healthcare  The HIPAA Security Rule consists of three sections: Administrative, Physical, & Technical Safeguards  Section 164.312(a)(1) is a technical safeguard which deals with access control, and is a required part of the HIPAA standard Copyright 2008 Eric Goldman -
  6. 6. Section 164.312(a)(1) The Policy Statement for this section is as follows: Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec. 164.308(a)(4). Copyright 2008 Eric Goldman -
  7. 7. The Testbed An emulation of a Hospital Intranet Web Server Copyright 2008 Eric Goldman -
  8. 8. Introduction to Testbed  Testbed was created and deployed in virtual machine (VMWARE)  Operating System: Ubuntu Linux Server 7.10  HTTP Server: Apache 2.2.4  Database: MySQL 5.0.45  Web Application Language: PHP 5.2.3  Applications were written from scratch to emulate real world situations on a hospital’s intranet server Copyright 2008 Eric Goldman -
  9. 9. Introduction to Testbed Two applications were written for this Testbed  Secure Medial Database: A HTML login form used to login to one of the hospital’s record systems. Uses POST method for submission and retrieves records from MySQL database.  Digital Library: A web form to submit medical articles found on the Internet for cataloguing by the hospital librarian. Uses POST method and PHP file_get_contents() function. Copyright 2008 Eric Goldman -
  10. 10. Auditing Procedures  For this testbed, a blind audit was not assumed. Attacks were crafted to take advantage of visible flaws in the source code of the applications.  Most attacks were performed manually, using certain input values in order to audit for a given weakness. For the demo, JavaScript was used to fill in the forms for each demonstration.  In order to test password strength, a custom Perl script was written. Similar results could be obtained with AppScan, Brutus, AccessDiver, etc. Copyright 2008 Eric Goldman -
  11. 11. Auditing Procedures  The exploits chosen for each web application were developed in order to demonstrate common coding practices which should be considered insecure  The exploits in this demonstration are focused on the actual end user web application and not the services or programs which execute the code and serve the pages  The goal is to demonstrate how to analyze web application code for exploitable flaws Copyright 2008 Eric Goldman -
  12. 12. Testbed Demonstration The following will show and explain the vulnerabilities in our web applications Video is embedded through SlideShare, or view at: Copyright 2008 Eric Goldman -
  13. 13. Meeting Compliance Suggestions to improve the web applications to ensure compliance with HIPAA Copyright 2008 Eric Goldman -
  14. 14. Prevent SQL Injection attacks  On the “Secure Medical Database”, the authentication validation is performed by MySQL  The query should request the password for a given user, then compare to the submitted value in PHP  This methodology makes sure that all values are set and that the POST values are compared to values stored in the database  Enabling magic_quotes in the PHP configuration would prevent the injection from being processed Copyright 2008 Eric Goldman -
  15. 15. Prevent Brute Force Password Cracking  There is nothing in the script which prevents or limits a scripted attack on the password form  A captcha image would provide a unique variable for each login, severely complicating scripting  A lockout mechanism should also be coded, limiting possible logins per user or IP in a given time frame  A stronger password policy should be enforced, requiring longer passwords with greater complexity, greater length, and prohibition of dictionary words Copyright 2008 Eric Goldman -
  16. 16. Insufficient Data Validation  The “Digital Library” application has no data validation to prohibit information harvesting  Put the web server in a chroot “jail” to limit access to system files such as /etc/passwd  Write validation code to ensure that the address specified is an external web page  Do not print back the contents of a submitted article to the user Copyright 2008 Eric Goldman -
  17. 17. Summary Presentation Review, Lessons Learned, References Copyright 2008 Eric Goldman -
  18. 18. Presentation Summary  HIPAA is a federal law which protects patients medical information and records  HIPAA requires access control and role based authentication to records and resources  Secure coding techniques can prevent many common attacks through validation and variable conditioning  Web applications are highly vulnerable to scripting and automated attacks (and auditing tools) Copyright 2008 Eric Goldman -
  19. 19. Lessons Learned  Most attacks can be avoided with proper sanitization and code review  Applications should not depend on external sources (database, client side validation, etc) for validation  Minimize the amount of variability possible from user input  Build controls into scripts to limit attempts at hacking or automation Copyright 2008 Eric Goldman -
  20. 20. References  BioPassword, Inc.. (2006). Strong User Authentication and HIPAA Author. Retrieved Apr. 18, 2008, from  SHARON W. THORNTON. HENRICO INTERNAL AUDIT. (2006, Jan. 18). DETAILED AUDIT TESTING STEPS FOR HIPAA SECURITY RULE COMPLIANCE. HENRICO, VA: Retrieved Apr. 18, 2008, from  P. M. (2003). HIPAA security regulations: Protecting patients’ electronic health information. The Journal of the American Dental Association, 134(5), 640-643. Retrieved May 5, 2008, from  (2007, Dec. 10). Security Standards: Implementation for the Small Provider. HIPAA Security Series, 2(7), 1-12. Retrieved May 5, 1986, from Copyright 2008 Eric Goldman -