Master’s Exam for Andrew Austin

Title: “Improving the Security of Electronic Health Record Systems”

Date: October 18th, 2011
Time: 11:30 AM – 1:30 PM
Room: EBII, Room 3300

Examination Committee:

Dr. Laurie Williams (Chair and Advisor)
Dr. Annie Antón
Dr. Emerson Murphy-Hill

Abstract:

In the United States, the American Recovery and Reinvestment Act of 2009 (ARRA) provides monetary incentives to healthcare providers for using electronic health record (EHR) systems rather than paper records. By 2015, the ARRA also introduces financial penalties for providers who fail to adopt EHR systems.  These legislated financial incentives and penalties are driving mass adoption of EHR systems. How secure are these certified EHR systems? In our research, we examined two questions pertaining to improving the security of electronic health record systems: 1.) Are there any weaknesses in the existing security certification criteria that we can improve on? 2.) How can we improve vulnerability detection efforts in large scale software systems such as electronic medical record systems? In order to invesigate these questions, we conducted two case studies to address our first research question, and one case study to address the second.  These case studies were conducted by evaluating the security of three EHR systems. Based on the results of our first two case studies, we recommend augmenting the existing security criteria with misuse cases to better model attacker behavior. We also recommend using the augmented security criteria as entry criteria to the EHR certification
process. Before spending time certifying EHR systems for functionality, certification bodies should have confidence that basic security issues have been addressed. In our third case study, we found empirical evidence that no single technique discovered every type of vulnerability. We discovered almost no individual vulnerabilities with multiple discovery techniques.  We also found that systematic manual penetration testing found the most design flaws, while static analysis found the most implementation bugs. Finally, we found the most effective vulnerability discovery technique in terms of vulnerabilities discovered per hour was automated penetration testing. These results suggest that if one has limited time to preform
vulnerability discovery one should conduct automated penetration testing to discover implementation bugs and systematic manual penetration testing to discover design flaws.