Protecting Web-based Patient Portal for the Security and Privacy of Electronic Medical

Records

Xiaowei LiYuan Xue

Vanderbilt UniversityUSENIX HealthSec’12

Aug. 6 2012

Motivation

• Patient portals provide online access to a huge amount of patient record information.

• An essential link in securing patient medical record.A real-world case: In Aug. 2000, over 800 patient information was leaked through KPOnline, a web healthcare portal.

Challenges

• Development and deployment of a secure web patient portal is non-trivial. – Overcome all common web application vulnerabilities, e.g.,

SQL injection, weak authentication.– Implementation of complex and dynamic security policies

for restricting sensitive information access and enforcing clinical workflow.

– Integration between the portal and other components (e.g., billing, third-party service) while preventing data leakage via logic flaws or side channel.

Case Study - OpenEMR• http://www.oemr.org/

• Includes a number of vulnerabilities: such as cross-site scripting, SQL injection. (http://www.exploitsdownload.com/search?q=emr)

• OpenEMR 3.2 contains an authorization flaw, which allows for an attacker to create an administrator account, because the user_add page fails to check the user role when being executed.

Proposed Approach• A two-tier defense architecture:

– Request Blocker: inspect web requests, prevent sensitive information revealed to attackers.

– EMR protector: isolate EMR data from vulnerable patient portal at the SQL query level.

– Both of them consult Central Decision Engine.

Proposed Approach• Security specifications, maintained by decision engine, are learnt by an

inference engine from real web traffic, that reflect dynamic and complex security policies in clinical environment.– Rule-based: extract deterministic patterns, e.g., when user_add page is

accessed, the current user must be an administrator. – Evidence-based: extract statistical features, e.g., it is very unlikely that the

record of a patient with heart attack be accessed by a physician from an irrelevant department.

Web Requests

Web Responses

Session Variables

Symbolization

Modeling

Spec Inference

SQL QueriesSQL

Responses

SQL Signature Construction

User Session

Clinical Workflow

Caregiver (Role)

TreatmentGuideline

Patient (Diagnosis)Check

lab test before prescri

be

Nancy

Bill

Bob

Prescribe Bill

Check Bob.lab

Prescribe Bob

Check Bill.lab

Check lab Prescribe

Benefits and Status• Benefits:

– Security implementation can be independent from a specific patient portal and verified and imported for others.

– Automatic inference scales for complex business logic and handles clinical dynamics.

– New security mechanisms/policies can be transparently integrated.• Current:

– Request Blocker and EMR Protector are based on BLOCK and SENTINEL systems, we have implemented for general-purpose web applications.

– Support automatic inference of rule-based specification.• Future:

– Enhance the inference engine with evidence-based (statistical) features to handle clinical dynamics.

– Better integrate Request Blocker and EMR Protector with central decision engine.

Q&A• This work was supported by NSF TRUST (The Team for

Research in Ubiquitous Secure Technology) Science and Technology Center (CCF-0424422).

Thank you