Friday, April 4, 2014

Murky Research Award

I am going to take a page from Keith, and his Ad Hoc Motorcycle Guy Harley Award. This is an authorized pillage of his idea. I thus create the Murky Research Award, tip of a hat to Car Talk - Click and Clack - Murky Research. I am constantly reminded of Murky Research when I explain to people how to pronounce my name.(Keith also recommended this title). Sorry my graphic isn't as nice as the Ad Hoc Motorcycle Guy Harley Award.

The First Murky Research Award goes to Josh Mandel, who showed tremendous Research abilities, transparency, and ultimate Professionalism in is pursuit of knowledge on security vulnerabilities he discovered in some EHR products regarding malformed CDA (an XML form) documents that are not robustly sanitized and validated before being displayed using a simple stylesheet and an off-the-shelf browser (or browser framework). The details of this are far better explained by  Josh.


Dear Strucdoc and Security WGs,

In this era of personal health records and Direct messaging, it's increasingly unrealistic to assume that an EHR can trust every (C-)CDA document that arrives in a clinician's inbox. Here's an article I've published on the SMART Platforms blog describing a set of security considerations for the display of potentially malicious C-CDA documents:


This post describes a set of security considerations that are probably well-known to many of you -- but that have been overlooked by multiple real-world EHR products, leading to serious vulnerabilities. 

Bringing "best practices" to real-world implementations is critical, and as a community we should think about how HL7 might help. (In this specific case, for example, by hardening stylesheets and including warnings that these stylesheets are unsafe for use with untrusted documents. In general, by advocating for well-defined vulnerability reporting protocols and bounty programs.)

Best,

  Josh

Not only did Josh do the research into the deep details, and write them up in exacting details, but what you all don't yet know is that he has been working one-on-one with the vendor community to help them understand the problem, multiple times delaying his release to give a vendor another week. Did this all with the utmost discresion and professionalism. I know he is going to publish more deeper details.

It is not easy for someone who knows this level of problem to be so professional and to utalize the rules of responsible disclosure. My hat goes off to Josh Mandel. Thank You.

Tuesday, April 1, 2014

HIPAA Risk Assessment reader

HHS/ONC has released a fantastic and easy to use HIPAA Security Risk Assessment tool:
New Security Risk Assessment (SRA) tool

In collaboration with the HHS Office for Civil Rights, we released this morning a new tool designed to help practices conduct and document a comprehensive assessment to identify risks in their organizations from the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The SRA tool also produces a report that can be useful during audits. You can read the news release announcing the new tool here.
Okay, in case you didn't notice today is April 1st... This tool from HHS/ONC is potentially useless to someone unwilling to read the HIPAA Security rule, and unwilling to contract with even a low-end Security consultant. The big news is that this tool is just a 'wizard' that walks you thorough reading the HIPAA Security rule. Once you will be done using this tool, YOU HAVE read the HIPAA Security rule. You are likely no smarter, and you end up with a spreadsheet that just recorded your clicks through the wizard.
I must provide a little bit of reality. I really do (not April 1st) think that HHS/ONC have tried. The HIPAA Security rule is not easy for some to grasp. Unfortunately, I really don't think that a pretty wizard is going to make it any more readable. So I must give them some positive credit for trying. I just think you would be better off just reading the regulation itself, and hiring even a low-end security consultant.