Penetration Testing Healthcare Applications for HIPAA
We discussed the insecurities in healthcare applications some months ago in Palisade. Today, I want to discuss how we test online healthcare sites for security.
Online healthcare sites cover a wide range of applications: from electronic prescription management systems to MIS for medical labs, from health insurance applications to hospital management systems. As part of HIPAA, these sites are expected to be penetration tested to verify their security.
The first step in our penetration testing process is creating a Threat Profile. A “Threat” is the goal of an adversary, it’s what the bad guys want to achieve. A “Threat Profile” is the list of all threats to an application. [For more about Threat Profiles, please read “Why We Love Threat Profiles”].
The Threat Profile is central to our testing methodology. For an online health insurance application, the threat profile may read like:
- views insurance claims of other users
- modifies/deletes insurance claims of others
- views medical records he is not authorized to see
- falsely changes the status of a claim to “approved”
- changes the terms of the plan
Notice these are the things an adversary might be interested in. Logically, that’s where we should start from.
It takes about half-a-day to two days to create the threat profile - that depends on the complexity of your application. We study the application, prepare a draft threat profile and then get your feedback. The Plynt Healthcare Threat Profile Repository helps accelerate this step. This repository is a collection of threats we have already seen in similar healthcare applications.
Once the Threat Profile is ready, we create the Test Plan - the specific tests to perform for checking each threat. This is the intensely technical part of our test, when we visualize in the mind’s eye the various possibilities for attack.
The Test Plan first maps each threat in the Threat Profile to specific pages on your site. For example, consider the threat, “The adversary views insurance claims of other users” might be mapped to the “View Claims” page. Next, the Test Plan identifies all the attacks to try on those pages to realize that specific threat. For example, on the “View Claims” page, we might decide to try a Variable Manipulation attack and a SQL Injection attack to see claims of other users. The Test Plan is thus prepared for all the Threats to the application. To assist our engineers, we have a master reference checklist of all attacks - they pick attacks for the Test Plan from that checklist.
Once the Test Plan is prepared, it’s reviewed and approved by a senior. The actual testing begins only after that. The tests are a combination of manual and automated checks. The penetration tester adheres to the original Test Plan. The test plan is updated when he gets new ideas during the test.
When an attack succeeds, we capture the screenshots of the attack. Our final report walks through the attack with the aid of these screenshots.
Any large application penetration test involves hundreds of test cases, so it’s important that we focus on the right set of test cases. We should, for instance, focus on whether a the terms of a plan can be modified than on generating error messages by tampering unimportant variables. The Threat Profile to Test Plan approach helps us focus our testing on the threats that matter to you and HIPAA.
Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.Add yours.closed for this post.
- June 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- April 2007
- March 2007
- February 2007
- January 2007
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
You can read full entries of Palisade Blog using an RSS reader. Use this link —