Sunday, April 06, 2014

It Appears There Are Some Significant Security Issues With The PCEHR. I Wonder When There Will Be An Official Comment?

The following appeared in the last day or so.

Security vulnerabilities in C-CDA Display using CDA.xsl

TL;DR: If you’re using XSLT stylesheets to render C-CDAs in your EHR, make sure you understand the security implications. Otherwise you could be vulnerable to a data breach.
This blog post describes security issues that have affected well-known 2014 Certified EHRs. Please note that I’ve already shared this information privately with the Web-based EHR vendors I could identify, and I’ve waited until they were able to investigate the issues and (if needed) repair their systems.
Last month I observed a set of security vulnerabilities in XSLT “stylesheets” used to display externally-supplied C-CDA documents in many EHRs. To be specific: the CDA.xsl stylesheet provided by HL7 (which has been adopted by many EHR vendors) can leave EHRs vulnerable to attacks by maliciously-composed documents.
I plan to follow up with posts describing:
  • a real-world case where a vendor was affected by these issues
  • a set of security best practices that can help avoid these and other issues
  • the unfortunate state of EHR vendor security vulnerability reporting protocols

Three fundamental attacks

Many vendors appear to be using (slightly tweaked versions of) the CDA.xsl that comes with HL7′s C-CDA release. This provides potential attackers with a highly visible, leveragable target.
My analysis revealed at least three ways to craft a malicious C-CDA. The first two vulnerabilities allow the execution of arbitrary JavaScript code within the C-CDA viewer. For example, an attacker could steal browser cookies and application state, and post them back to an external server. The third vulnerability allows the C-CDA viewer URL to leak to an external server.
All the technical details of the three issues can be found here:
I was alerted to this blog post by a technical guru who said there were significant issues to be addressed both by the PCEHR Program and NEHTA as well as some of the GP system providers who used CDA Stylesheets.
I am sure there is significant effort being put into working out what exactly to do right now.
This is clearly an evolving story and I suggest people keep an eye open for information from Government and NEHTA and the mainstream press.
I also look forward to more posts from the US blogger explaining what he is recommending as appropriate fixes etc.

No comments: