Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

NIST Electronic Health Record Approved Test Procedures Version 1.0
From: Shawn Merdinger <shawnmer () gmail com>
Date: Fri, 22 Oct 2010 12:26:05 -0400

Hi FD,

"The list below contains the Approved Test Procedures, Version 1.0,
for evaluating conformance of complete EHRs and/or EHR Modules to the
initial set of standards, implementation specifications, and
certification criteria defined in the Health Information Technology:
Initial Set of Standards, Implementation Specifications, and
Certification Criteria published on July 13, 2010." [1]

An example of testing under the "170.302.t Authentication" criteria [2]

<snip>

This test procedure consists of one section:
Verify authorization– evaluates the capability to verify that a person
or entity seeking access to electronic health information is the one
claimed and is authorized
o The Tester creates a new user account and assigns permissions
o The Tester performs an action authorized by the assigned permissions
and verifies that the authorized activity was performed
o The Tester performs an action that is not authorized by the assigned
permissions and verifies that the action was not performed
o The Tester deletes (e.g., deactivates or disables) the user account
o The Tester attempts to login to the account and verifies that the
login attempt failed

</snip>

Fwiw, we'll likely need more work on these kinds of requirements if
testing is even going to begin to address issues such as, for example,
McKesson's use of hardcoded passwords. [3]

After all, a good chunk of the American Recovery and Investment Act of
2009 is going to towards health IT investments and incentives. [4]

Electronic Health Record search at www.recovery.gov  [5]

Cheers,
--scm


[1]  http://healthcare.nist.gov/use_testing/finalized_requirements.html
[2]  http://healthcare.nist.gov/docs/170.302.t_Authentication_v1.0.pdf
[3]  http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2009-10/msg00140.html
[4]  http://en.wikipedia.org/wiki/American_Recovery_and_Reinvestment_Act_of_2009#Healthcare
[5]  http://www.recovery.gov/espsearch/Pages/default.aspx?k=EHR

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • NIST Electronic Health Record Approved Test Procedures Version 1.0 Shawn Merdinger (Oct 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault