Protecting Web-based Patient Portal for the
Security and Privacy of Electronic Medical
Records
Xiaowei Li
Yuan Xue
Vanderbilt University
USENIX HealthSec’12
Aug. 6 2012
Motivation
• Patient portals provide online access to a huge
amount of patient record information.
• An essential link in securing patient medical
record.
A real-world case: In Aug.
2000, over 800 patient
information was leaked
through KPOnline, a web
healthcare portal.
Challenges
• Development and deployment of a secure web
patient portal is non-trivial.
– Overcome all common web application vulnerabilities, e.g.,
SQL injection, weak authentication.
– Implementation of complex and dynamic security policies
for restricting sensitive information access and enforcing
clinical workflow.
– Integration between the portal and other components (e.g.,
billing, third-party service) while preventing data leakage via
logic flaws or side channel.
Case Study - OpenEMR
• http://www.oemr.org/
• Includes a number of vulnerabilities: such as cross-site scripting, SQL
injection. (http://www.exploitsdownload.com/search?q=emr)
• OpenEMR 3.2 contains an authorization flaw, which allows for an attacker
to create an administrator account, because the user_add page fails to
check the user role when being executed.
Proposed Approach
• A two-tier defense architecture:
– Request Blocker: inspect web requests, prevent sensitive information revealed
to attackers.
– EMR protector: isolate EMR data from vulnerable patient portal at the SQL
query level.
– Both of them consult Central Decision Engine.
Proposed Approach
• Security specifications, maintained by decision engine, are learnt by an
inference engine from real web traffic, that reflect dynamic and complex
security policies in clinical environment.
– Rule-based: extract deterministic patterns, e.g., when user_add page is
accessed, the current user must be an administrator.
– Evidence-based: extract statistical features, e.g., it is very unlikely that the
record of a patient with heart attack be accessed by a physician from an
irrelevant department.
User Session
Web
Requests
Web
Responses
Session
Variables
SQL
Queries
SQL
Responses
Check
Bill.lab
Check lab
Nancy
Modeling
Check
Bob.lab
Prescribe
Caregiver
(Role)
Treatment
Guideline
Spec Inference
Prescribe
Bob
Clinical Workflow
SQL Signature
Construction
Symbolization
Prescribe
Bill
Check
lab test
before
prescri
be
Bill
Patient
(Diagnosis)
Bob
Benefits and Status
• Benefits:
– Security implementation can be independent from a specific patient
portal and verified and imported for others.
– Automatic inference scales for complex business logic and handles clinical
dynamics.
– New security mechanisms/policies can be transparently integrated.
• Current:
– Request Blocker and EMR Protector are based on BLOCK and SENTINEL
systems, we have implemented for general-purpose web applications.
– Support automatic inference of rule-based specification.
• Future:
– Enhance the inference engine with evidence-based (statistical) features to
handle clinical dynamics.
– Better integrate Request Blocker and EMR Protector with central decision
engine.
Q&A
• This work was supported by NSF TRUST (The Team for
Research in Ubiquitous Secure Technology) Science and
Technology Center (CCF-0424422).
Thank you