What is an EHR?What is an EHR?

The EHR is a longitudinal electronic record of a patient health information generated by one or more encounters in any care delivery setting.

Advantages of EHRAdvantages of EHRCost can be reducedQuality of care can be improved

Record can be kept easilyMobility

Why Security of EHR Is Why Security of EHR Is Needed ?Needed ?

INSIDER ATTACKS

An Insider attack occurs when employees with legitimate access to their organization

information systems use these systems to sabotage their

organization IT infrastructure or commit fraud.

SOFTWARE SECURITY REQUIREMENTS

SOFTWARE SECURITY REQUIREMENTS

Use cases

Misuse cases

It specifies a negative use case i.e. behavior that is not allowed in the proposed system.

It is a description of the possible sequences of interactions between the system and it’s external actors.

Certification of EHR Certification of EHR SystemsSystemsIts certification began in 2006

It is primarily conducted by the Certification Commission of Healthcare IT (CCHIT)

Why EHR Systems Are Attacked ?

For Health Records

For ServiceFor Identity And Billing Information

Exploits Done On Targeted

Applications

Exploits Done On Targeted

Applications

Implementation Bugs

Design Flaws

They are code level software problems.

They are high-level problems associated with the architecture and design of the system.

Implementation Bugs Session Hijacking

Cross-Site Scripting

Phishing

SQL Injections

PDF ExploitsDenial of Service: File Uploads

Authorization Failure

SQL InjectionsSQL Injections

In this, an attacker exploits a lack of input validation to force unintended system behavior by inserting reserved words or characters into input fields that will alter the logical structure of a SQL statement.

Performed on

Admin Login - Amskrupajal.orgwww.giantstudios.com/buy-soft/adminlogin.aspwww.quickwrench.net/

Cross-Site Scripting

Cross-Site Scripting

It’s a computer security vulnerability that enables malicious attackers to inject client side script into web-page viewed by other users.

Denial of Service: File Uploads

Denial of Service: File Uploads

In this the attacker changes the state of web server to slow or unresponsive.

PhishingPhishing

It is an attempt to acquire sensitive information such as user names, passwords etc. by masking as a trustworthy entity.

Lack of Authorization

control

Lack of Authorization

control

In this the patient’s confidential health records and personal identification information can be viewed by the attacker.

ConclusionConclusion

The EHR will soon have ….

Better privacy and security protections …

Information will be available when we need it …

BibliographyBibliography1) Research paper

2) http://www.ncrr.nih.gov/publications/informatics/ehr.pdf

3) http://www.hhs.gov/health/healthnetwork/background/

4) Wikipedia.

5)http://mhcc.maryland.gov/electronichealth/mhitr/EHR

%20Links /challenges_to_ehr.pdf

7) www.drivencompany.com/nist.cfm

8) http://go4webapps.com/2010/04/24/webscarab-web-security-

application-testing-tool/ 

THANK YOU

Submitted by:

Shivani TyagiAnurag Deb