Security Audit for FX Hospital EHR/EMR Systems
The study carries out the security audits for the FX Hospital EHR/EMR information systems to identify the vulnerabilities in the systems. The study uses the BackTrack as an auditing tool to penetrate the website, and outcomes of the auditing reveal that the website is not secure and can be subject to different vulnerabilities. After carrying out the auditing, the study is able to collect as much patients' data as possible revealing the website can be subject to vulnerable attacks. One of the vulnerabilities identified is that the website URL starts from HTTP showing that an attacker can easily break into the website and collect sensitive information. Moreover, all the data in the website are not encrypted making them easy for an attacker to collect patients' data.
By consequence, the FX Hospital can face lawsuits for failing to protect patients' data because if patients' data are stolen by an unauthorized individual and are misused for personal gains, the issue can lead to a lawsuit. The paper suggests different strategies that FX Hospital can employ to protect the website from the vulnerabilities. The study suggests converting the website's URL from HTTP to HTTPS. The HTTPS is a combination of HTTP and SSL (Secure Socket Layer) that offers an effective security protocol for the website. The HTTPS will encrypt all the data in the website, which will consequently protect the data from being stolen by an authorized individual. The paper also suggests using the combination of IDS and IPS and firewall to detect and prevent unauthorized access to the website. The integration of a powerful antivirus is also recommended to protect the website from virus and worms attacks.
Introduction
The IT (information technology) can inherently associated with risks and vulnerabilities based on the poorly configuration of firewalls, and unsecured SQL databases. The vulnerabilities can make organizations to lose enormous amount of revenue if a hacker is able to penetrate the dataset of an organization. In the United States, websites of healthcare organizations can contain sensitive information of patients and employees such as SSN (Social Security Number), credit card information and other sensitive information. If an attacker is able to penetrate an organizational website and collect sensitive information, the organization can lose enormous amount of money from law suits, which can consequently damage business image.
The following healthcare website http://vlab02.pneumann.com/patients13/?bill_month=8&sec=HSPO15 can be vulnerable to attack since it seems that website does not integrate the encryption or cryptographic security protocol to protect it from an unauthorized access. Moreover, the website does not have the firewall to protect it from an unauthorized network intrusion. Additionally, the "IDS (intrusion detection systems) and IPS (intrusion prevention systems)" (Abdel-Aziz,2009, p 10) are not integrated in the system to detect and prevent potential vulnerabilities. Based on the loopholes identified in the system, the study carries out the security audit of the website to uncover the vulnerabilities in the website.
Objective of this project is to carry out the security audit of the website listed below:
http://vlab02.pneumann.com/patients13/?bill_month=8&sec=HSPO15
The outcomes of the audits assist in providing security recommendations for the website
Methodology and Tools to Perform the Security Audit
The "vulnerabilities are software flaws or misconfigurations that cause a weakness in the security of a system. Vulnerabilities can be exploited by a malicious entity to violate policies-for example, to gain greater access or permission that is authorized on a computer." (Mell, Bergeron, & Henning, 2005 p 7).
Security audits are the strategy of identifying vulnerabilities in the website. Wai, (2002) identifies penetrating testing as the effective strategy of identifying vulnerabilities. A penetration test involves attacking a website using a trusted individual. The penetration test can also involve scanning the IP address in order to identify the machines that are vulnerabilities.
The paper uses the BackTrack software to perform the security audit and penetrating testing. The modern website in the contemporary IT environment has faced increasing security challenges because of the security vulnerabilities, and changing of hacker's tactics. Moreover, modern application and websites are extremely complex because business stakeholders are increasingly facing challenges to build a secure website that can be fool proofed to hacking. One of best strategies to build a secured website is to use an ethical hacker to identify the vulnerabilities before a criminal has intruded in the website. Typically, an ethical hacker assists in identifying the vulnerabilities, and suggests the strategies to build a secured website. In this sense, the study explores the vulnerabilities of the website, and the identification of the vulnerabilities assists in designing the strategy to protect the information systems using different methods. The strategy used to practice the ethical hacking of the website is discussed as follows:
The paper uses the BackTrack software to audit the website. The BackTrack is one of the hacking tools that can be used to penetrate the database of websites of different organizations. With the BackTrack tool, a hacker can penetrate the website and collect sensitive information. As being revealed in Fig 1, it is easy to collect data from the website by selecting BackTrack and...
The data collected include name of patients, DOB (date of birth), bill month, and balance as being revealed in table 1 .
Table 1 "FX HOSPITAL EHR/EMR SYSTEM"
"Administrative Personnel Only"
MID
DOB
BILL_MONTH
BALANCE
Jim Miller
11
Jim Smith
3
Bob Smith
4
Ryan Ain
3
Jennie Washington
db337433205
2
John Smith
4
Jim Cox
7
Doug Cox
6
Susan Cox
10/11/1992
8
Dean Silver
11
Hunter Smith
9
Chris Bennon
12
Group Five
10/20/2000
10
Group Five
10/20/2015
10
Raul Miller
10
Susan Cox
10/11/1992
8
Steve Ain
3
Group Five
10/20/2015
10
Group Five
10/20/2015
10
3.Security Vulnerabilities identified and Method to Mitigate the Vulnerabilities
The website contains the electronic health records as well as electronic medical records of the hospital that contain private information of patients. After carrying out the auditing of the website, it is revealed that the website is not protected and can be subject to different vulnerabilities. Typically, different vulnerabilities are discovered in the website, which an attacker can take advantages for a personal purpose. The following vulnerabilities are discovered in the website after the audits.
First, the website below is not secured because the URL starts with HTTP, which is vulnerable to attack.
http://vlab02.pneumann.com/patients13/?bill_month=8&sec=HSPO15 Typically, a website that starts with HTTP is a not a secured website, any attacker can penetrate the website and collect sensitive information.
SQL Injection: Moreover, the website is vulnerable to SQL injection. The SQL injection is the strategy of using malicious code to corrupt the database content, which will assist the attacker to have access to the content in the database.
XSS (Cross-Site Scripting): The website is also vulnerable to XSS attack. The vulnerability is used in conjunction to phishing and other browser exploit. The attacker injects malicious client-side scripts or HTML in the web browser to bypass the access control with the goal of stealing sensitive data from the web.
Information Leakage: The website is also vulnerable to information leakage. The information leakage is the strategy of obfuscating or removing the signatures of the web technology platform to have access to the database contents.
Brute Force: A brute force attack is another website vulnerabilities that refers to a dictionary attack. The strategy is to defeat authorization scheme and cryptographic authentication using possible keys to discover a password combination.
"In brute-force attack, the attacker tries every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained. On average, half of all possible keys must be tried to achieve success." (Stallings, 2011, p 36).
The brute force attack can be successful by accessing the unprotected directories and break authorization and authorization layers.
Denial of Service: The website is also vulnerable to DoS (Denial of Service) attack. The DoS is an attack of preventing a webpage from serving a normal activity. In essence, the attack attempts to consume all the website resources that include memory, CPU, and disk space to make the website inaccessible.
Lack Cryptographic Protocol: The website is also not secure because of lack of Cryptographic protocol. An information leakage can occur if a website does not use an appropriate encryption to protect the data from an unauthorized access. Typically, attackers can have access to the credit card information and Social Security Number through an information leakage because of an unsecure cryptographic systems.
RFI (Remote File Inclusion): The website is vulnerable to RFI. The RFI is an attack mechanism on web application using malicious code to access the web file remotely.
Viruses and worms: The website is also vulnerabilities to virus and worms attack. The worm and virus can bypass the login procedures to have access to patients' data
Insecure Direct Object: This strategy is to manipulate object in the webpage that includes directory or file to access objects in the webpages without authorization.
Strategies to Secure the Website from the Vulnerabilities
Stallings, (2011) argues that security networks are very critical for an application website. The internet security consists of different measures to prevent unauthorized access to the information systems. An internet security refers to the protection of information systems to attain applicable security that include integrity, confidentiality, and availability of the information resources.
The paper suggests using the SSL…
