80 likes | 232 Views
Protecting Web-based Patient Portal for the Security and Privacy of Electronic Medical Records. Xiaowei Li Yuan Xue Vanderbilt University USENIX HealthSec’12 Aug. 6 2012. Motivation. Patient portals provide online access to a huge amount of patient record information.
E N D
Protecting Web-based Patient Portal for the Security and Privacy of Electronic Medical Records Xiaowei Li Yuan Xue Vanderbilt University USENIX HealthSec’12 Aug. 6 2012
Motivation • Patient portals provide online access to a huge amount of patient record information. • An essential link in securing patient medical record. • A real-world case: In Aug. 2000, over 800 patient information was leaked through KPOnline, a web healthcare portal.
Challenges • Development and deployment of a secure web patient portal is non-trivial. • Overcome all common web application vulnerabilities, e.g., SQL injection, weak authentication. • Implementation of complex and dynamic security policies for restricting sensitive information access and enforcing clinical workflow. • Integration between the portal and other components (e.g., billing, third-party service) while preventing data leakage via logic flaws or side channel.
Case Study - OpenEMR • http://www.oemr.org/ • Includes a number of vulnerabilities: such as cross-site scripting, SQL injection. (http://www.exploitsdownload.com/search?q=emr) • OpenEMR 3.2 contains an authorization flaw, which allows for an attacker to create an administrator account, because the user_add page fails to check the user role when being executed.
Proposed Approach • A two-tier defense architecture: • Request Blocker: inspect web requests, prevent sensitive information revealed to attackers. • EMR protector: isolate EMR data from vulnerable patient portal at the SQL query level. • Both of them consult Central Decision Engine.
Proposed Approach Web Requests Web Responses Session Variables • Security specifications, maintained by decision engine, are learnt by an inference engine from real web traffic, that reflect dynamic and complex security policies in clinical environment. • Rule-based: extract deterministic patterns, e.g., when user_add page is accessed, the current user must be an administrator. • Evidence-based: extract statistical features, e.g., it is very unlikely that the record of a patient with heart attack be accessed by a physician from an irrelevant department. User Session Symbolization Clinical Workflow Check Bill.lab Prescribe Bill Check Bob.lab Prescribe Bob SQL Queries SQL Responses Caregiver (Role) Patient (Diagnosis) Modeling Treatment Guideline SQL Signature Construction Check lab Prescribe Bill Spec Inference Nancy Check lab test before prescribe Bob
Benefits and Status • Benefits: • Security implementation can be independent from a specific patient portal and verified and imported for others. • Automatic inference scales for complex business logic and handles clinical dynamics. • New security mechanisms/policies can be transparently integrated. • Current: • Request Blocker and EMR Protector are based on BLOCK and SENTINEL systems, we have implemented for general-purpose web applications. • Support automatic inference of rule-based specification. • Future: • Enhance the inference engine with evidence-based (statistical) features to handle clinical dynamics. • Better integrate Request Blocker and EMR Protector with central decision engine.
Q&A • This work was supported by NSF TRUST (The Team for Research in Ubiquitous Secure Technology) Science and Technology Center (CCF-0424422). Thank you