lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 22 Oct 2010 12:26:05 -0400
From: Shawn Merdinger <shawnmer@...il.com>
To: full-disclosure@...ts.grok.org.uk, funsec <funsec@...uxbox.org>
Subject: NIST Electronic Health Record Approved Test
	Procedures Version 1.0

Hi FD,

"The list below contains the Approved Test Procedures, Version 1.0,
for evaluating conformance of complete EHRs and/or EHR Modules to the
initial set of standards, implementation specifications, and
certification criteria defined in the Health Information Technology:
Initial Set of Standards, Implementation Specifications, and
Certification Criteria published on July 13, 2010." [1]

An example of testing under the "170.302.t Authentication" criteria [2]

<snip>

This test procedure consists of one section:
Verify authorization– evaluates the capability to verify that a person
or entity seeking access to electronic health information is the one
claimed and is authorized
o The Tester creates a new user account and assigns permissions
o The Tester performs an action authorized by the assigned permissions
and verifies that the authorized activity was performed
o The Tester performs an action that is not authorized by the assigned
permissions and verifies that the action was not performed
o The Tester deletes (e.g., deactivates or disables) the user account
o The Tester attempts to login to the account and verifies that the
login attempt failed

</snip>

Fwiw, we'll likely need more work on these kinds of requirements if
testing is even going to begin to address issues such as, for example,
McKesson's use of hardcoded passwords. [3]

After all, a good chunk of the American Recovery and Investment Act of
2009 is going to towards health IT investments and incentives. [4]

Electronic Health Record search at www.recovery.gov  [5]

Cheers,
--scm


[1]  http://healthcare.nist.gov/use_testing/finalized_requirements.html
[2]  http://healthcare.nist.gov/docs/170.302.t_Authentication_v1.0.pdf
[3]  http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2009-10/msg00140.html
[4]  http://en.wikipedia.org/wiki/American_Recovery_and_Reinvestment_Act_of_2009#Healthcare
[5]  http://www.recovery.gov/espsearch/Pages/default.aspx?k=EHR

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ