Seamless Medical Systems provides specialized applications for the medical industry. The functionalities on offer include mobile patient registration, queue management, insurance verification and payment collection, patient education and ongoing communication. The software is fully integrated with leading EMR (Electronic Medical Record) systems and meets HIPAA (Health Insurance Portability and Accountability Act) requirements.
Due to the processing of especially sensitive data, both for users of the system and its manufacturer, a key aspect of software quality is the broadly defined confidentiality of information.
A trusted hacker for rent
The optimal method of system security verification has turned out to be ethical hacking proposed by BCC (now All for One Poland) – a service consisting in detailed, methodical testing of applications for errors and vulnerabilities. Thanks to the high competence of BCC security consultants and specialized tools used, this practical attempt to break the security of the system enabled the security of data to be checked in a much broader context than just the area for which the programmers are responsible. Both applications and their environment (including servers), and even client tablets used by patients were tested.
Security of applications
Penetration tests were performed for 8 web applications. The comparability of results and the repeatability of the test were ensured by the recognized guidelines: Open Web Application Security Project (OWASP) Testing Guide v4 and National Institute of Standards and Technology Special Publication 800-115 (NIST SP 800-115).
The use of a number of tools supporting the pentester’s work enabled effective verification of such areas as:
- the correctness of encrypting data transmitted over the Internet,
- management of system users (creating, assigning, resetting passwords, etc.),
- a response of applications to incorrect (including swapped) data,
- a method and security of data (including temporary data) storage.
Security of patient devices
Another test scenario was the loss of a tablet (including theft). The possibility of using a device to access the medical data of its legitimate user or other system users was analyzed. The correctness of setting up and closing a client-server session as well as the scope and manner of storing data in the device memory were verified among other things.
Project step by step
Penetration testing of applications was carried out in several stages during which scenarios agreed with the Customer were implemented. The scope of work included a test environment and – for the avoidance of any doubt – a production one.
In order to ensure a standardized manner of execution, the security testing was performed according to the following methodologies:
- OWASP Open Web Application Security Project) Testing Guide, version 4
- National Institute of Standards and Technology Special Publication 800-115 (NIST SP 800-115)
The work was started in a black box mode, i.e. without the pentester’s knowledge about the system tested. The possibility of unauthorized access to the system and unauthorized acquisition of sensitive information was analyzed.
The scenario was as follows:
- collection of data on an application, systems and infrastructure,
- an enumeration process,
- scanning the infrastructure with vulnerability scanners.
In the next part of the test, the applications were tested using known accounts with roles of individual system users (gray-box testing). At this stage of tests, the following elements were verified:
- login forms and handling of roles,
- authorization mechanisms,
- session management,
- validation of input data and vulnerability to injection attacks,
- error handling,
- cryptographic mechanisms,
- business logic of applications,
- the possibility of an application client’s browser attack.
The summary of the tests was a report documenting all activities performed, and the system security confirmation in the form of a certificate.
Privilege escalation
Another element of the penetration test was the verification of an unauthorized person’s ability to access the data by obtaining a higher level of privileges than those assigned to a given user. The check was made, among others, through the improper use of application forms and modifications of URL addresses.
Summary
The final product of the tests carried out was a comprehensive report documenting the actions taken and the results obtained. The system security was confirmed by the certificate issued by BCC. For customers of Seamless Medical Systems, it proves that applications are created with due care for the confidentiality and integrity of data.
Total security program
A core component of any HIPAA compliment technology platform includes periodic penetration testing by qualified third party. Penetration testing is testing is simply industry best practice and BCC Group is an integral part of our total security program.
Anthony Brooke, Co-founder & CTO, Seamless Medical Systems Inc