The First Murky Research Award goes to Josh Mandel, who showed tremendous Research abilities, transparency, and ultimate Professionalism in is pursuit of knowledge on security vulnerabilities he discovered in some EHR products regarding malformed CDA (an XML form) documents that are not robustly sanitized and validated before being displayed using a simple stylesheet and an off-the-shelf browser (or browser framework). The details of this are far better explained by Josh.
Dear Strucdoc and Security WGs,In this era of personal health records and Direct messaging, it's increasingly unrealistic to assume that an EHR can trust every (C-)CDA document that arrives in a clinician's inbox. Here's an article I've published on the SMART Platforms blog describing a set of security considerations for the display of potentially malicious C-CDA documents:This post describes a set of security considerations that are probably well-known to many of you -- but that have been overlooked by multiple real-world EHR products, leading to serious vulnerabilities.Bringing "best practices" to real-world implementations is critical, and as a community we should think about how HL7 might help. (In this specific case, for example, by hardening stylesheets and including warnings that these stylesheets are unsafe for use with untrusted documents. In general, by advocating for well-defined vulnerability reporting protocols and bounty programs.)Best,Josh
Not only did Josh do the research into the deep details, and write them up in exacting details, but what you all don't yet know is that he has been working one-on-one with the vendor community to help them understand the problem, multiple times delaying his release to give a vendor another week. Did this all with the utmost discresion and professionalism. I know he is going to publish more deeper details.
It is not easy for someone who knows this level of problem to be so professional and to utalize the rules of responsible disclosure. My hat goes off to Josh Mandel. Thank You.