Home page logo

fulldisclosure logo Full Disclosure mailing list archives

NIST Electronic Health Record Approved Test Procedures Version 1.0
From: Shawn Merdinger <shawnmer () gmail com>
Date: Fri, 22 Oct 2010 12:26:05 -0400

Hi FD,

"The list below contains the Approved Test Procedures, Version 1.0,
for evaluating conformance of complete EHRs and/or EHR Modules to the
initial set of standards, implementation specifications, and
certification criteria defined in the Health Information Technology:
Initial Set of Standards, Implementation Specifications, and
Certification Criteria published on July 13, 2010." [1]

An example of testing under the "170.302.t Authentication" criteria [2]


This test procedure consists of one section:
Verify authorization– evaluates the capability to verify that a person
or entity seeking access to electronic health information is the one
claimed and is authorized
o The Tester creates a new user account and assigns permissions
o The Tester performs an action authorized by the assigned permissions
and verifies that the authorized activity was performed
o The Tester performs an action that is not authorized by the assigned
permissions and verifies that the action was not performed
o The Tester deletes (e.g., deactivates or disables) the user account
o The Tester attempts to login to the account and verifies that the
login attempt failed


Fwiw, we'll likely need more work on these kinds of requirements if
testing is even going to begin to address issues such as, for example,
McKesson's use of hardcoded passwords. [3]

After all, a good chunk of the American Recovery and Investment Act of
2009 is going to towards health IT investments and incentives. [4]

Electronic Health Record search at www.recovery.gov  [5]


[1]  http://healthcare.nist.gov/use_testing/finalized_requirements.html
[2]  http://healthcare.nist.gov/docs/170.302.t_Authentication_v1.0.pdf
[3]  http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2009-10/msg00140.html
[4]  http://en.wikipedia.org/wiki/American_Recovery_and_Reinvestment_Act_of_2009#Healthcare
[5]  http://www.recovery.gov/espsearch/Pages/default.aspx?k=EHR

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • NIST Electronic Health Record Approved Test Procedures Version 1.0 Shawn Merdinger (Oct 22)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]