Herein we merge dental hygiene with development hygiene. ;-)
I recently changed dentists, and after my fist visit (successful and pleasant) I soon received follow up email from Demandforce D3 on behalf of my new dentist. Said email pointed me to an application feature that included the ability to set my email preferences for future contact as well as additional functionality.
I'll present the $64,000 questions right up front.
My understanding of website HIPAA requirements adhere to the following statement from Einstein Medical:
"Since practice web sites provide for email correspondence from potential or current patients that may contain protected health information, practice web sites must be HIPAA compliant."
"HIPAA requires health care providers to implement secure networks for the transmission of all private health information, including information contained in email correspondence."
For information transmission to be considered secure, three elements are necessary:
1) Authentication – identification of the senders/receivers of the information (i.e. must have a unique username)
If I can XSS a HIPAA protected site and can steal the auth cookie, is authentication sound?
2) Non-repudiation – verification that the senders/receivers of the information are who they say they are (i.e. must use a password)
If I can CSRF a HIPAA protected site is non-repudiation guaranteed?
3) Integrity – verification that information cannot be tampered with in transit (i.e. the information is sent through a network that cannot be easily “hacked” or “broken into”)
Both XSS and CSRF are, in essence, tampering when used to an attackers advantage; thus integrity is in question.
As I reviewed the Demandforce D3 application I was immediately struck by what appeared to be flawed dentistry...er, development, and discovered an input cavity in dire need of filling. I know, I know...stick to your day job, Russ.
Fine, screen shots below for your consideration.
While considering the above mentioned authentication, non-repudiation, and integrity bullet points above, please take note of the cookie in Figure 1 and complete XSS defacement in Figure 2, which could just as easily be a fake logon page.
Thinking the best path to Demandforce D3 would be through my new dentist, I contacted the office manger, who immediately forwarded my email to Demandforce D3.
Demandforce D3 quickly remediated the issues, quietly but successfully.
So I ask you, compliance experts, what of web application security flaws and HIPAA?
Are my interpretations accurate or am I just another pretty smile with no substance?
I look forward to your feedback, comments welcome.
del.icio.us | digg | Submit to Slashdot
Please support the Open Security Foundation (OSVDB)