Penetration Testing Healthcare Applications for HIPAA

By Paladion

July 28, 2008

We discussed the insecurities in healthcare applications some months ago in Palisade. Today, I want to discuss how we test online healthcare sites for security.

Online healthcare sites cover a wide range of applications: from electronic prescription management systems to MIS for medical labs, from health insurance applications to hospital management systems. As part of HIPAA, these sites are expected to be penetration tested to verify their security.

The first step in our penetration testing process is creating a Threat Profile. A "Threat" is the goal of an adversary, it’s what the bad guys want to achieve. A "Threat Profile" is the list of all threats to an application. [For more about Threat Profiles, please read "Why We Love Threat Profiles"].

The Threat Profile is central to our testing methodology. For an online health insurance application, the threat profile may read like:

  • views insurance claims of other users
  • modifies/deletes insurance claims of others
  • views medical records he is not authorized to see
  • falsely changes the status of a claim to "approved"
  • changes the terms of the plan

Notice these are the things an adversary might be interested in. Logically, that’s where we should start from.

It takes about half-a-day to two days to create the threat profile - that depends on the complexity of your application. We study the application, prepare a draft threat profile and then get your feedback. The Plynt Healthcare Threat Profile Repository helps accelerate this step. This repository is a collection of threats we have already seen in similar healthcare applications.

Once the Threat Profile is ready, we create the Test Plan - the specific tests to perform for checking each threat. This is the intensely technical part of our test, when we visualize in the mind’s eye the various possibilities for attack.

The Test Plan first maps each threat in the Threat Profile to specific pages on your site. For example, consider the threat, "The adversary views insurance claims of other users" might be mapped to the "View Claims" page. Next, the Test Plan identifies all the attacks to try on those pages to realize that specific threat. For example, on the "View Claims" page, we might decide to try a Variable Manipulation attack and a SQL Injection attack to see claims of other users. The Test Plan is thus prepared for all the Threats to the application. To assist our engineers, we have a master reference checklist of all attacks - they pick attacks for the Test Plan from that checklist.

Once the Test Plan is prepared, it’s reviewed and approved by a senior. The actual testing begins only after that. The tests are a combination of manual and automated checks. The penetration tester adheres to the original Test Plan. The test plan is updated when he gets new ideas during the test.

When an attack succeeds, we capture the screenshots of the attack. Our final report walks through the attack with the aid of these screenshots.

Any large application penetration test involves hundreds of test cases, so it’s important that we focus on the right set of test cases. We should, for instance, focus on whether a the terms of a plan can be modified than on generating error messages by tampering unimportant variables. The Threat Profile to Test Plan approach helps us focus our testing on the threats that matter to you and HIPAA.

Tags: healthcare, Uncategorized, ethical hacking, HIPAA, security testing