lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 22 Oct 2010 12:26:05 -0400
From: Shawn Merdinger <>
To:, funsec <>
Subject: NIST Electronic Health Record Approved Test
	Procedures Version 1.0

Hi FD,

"The list below contains the Approved Test Procedures, Version 1.0,
for evaluating conformance of complete EHRs and/or EHR Modules to the
initial set of standards, implementation specifications, and
certification criteria defined in the Health Information Technology:
Initial Set of Standards, Implementation Specifications, and
Certification Criteria published on July 13, 2010." [1]

An example of testing under the "170.302.t Authentication" criteria [2]


This test procedure consists of one section:
Verify authorization– evaluates the capability to verify that a person
or entity seeking access to electronic health information is the one
claimed and is authorized
o The Tester creates a new user account and assigns permissions
o The Tester performs an action authorized by the assigned permissions
and verifies that the authorized activity was performed
o The Tester performs an action that is not authorized by the assigned
permissions and verifies that the action was not performed
o The Tester deletes (e.g., deactivates or disables) the user account
o The Tester attempts to login to the account and verifies that the
login attempt failed


Fwiw, we'll likely need more work on these kinds of requirements if
testing is even going to begin to address issues such as, for example,
McKesson's use of hardcoded passwords. [3]

After all, a good chunk of the American Recovery and Investment Act of
2009 is going to towards health IT investments and incentives. [4]

Electronic Health Record search at  [5]



Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists