Posts Tagged ‘security’

128 bit encryption? Pshhh. Please, girl. I can hack that.

March 26, 2010

There was another good post by Schneier today about how even the most secure web services are more vulnerable than many people think. He links a paper that finds (what most hackers already know) that just because a communication is encrypted, that it does not leak information about the data being transferred. I strongly recommend you at least read the abstract.

One of the more telling examples is being able to determine someone’s AGI(Adjusted Gross Income) by listening in on the volume and frequency of traffic on a popular web tax-preparation site:

The researchers studied a major online tax preparation site (which they don’t name) and found that it leaks a fairly accurate estimate of your Adjusted Gross Income (AGI). This happens because the exact set of questions you have to answer, and the exact data tables used in tax preparation, will vary based on your AGI.

To give one example, there is a particular interaction relating to a possible student loan interest calculation, that only happens if your AGI is between $115,000 and $145,000 — so that the presence or absence of the distinctively-sized message exchange relating to that calculation tells an eavesdropper whether your AGI is between $115,000 and $145,000. By assembling a set of clues like this, an eavesdropper can get a good fix on your AGI, plus information about your family status, and so on.

If this can be done with tax preparation sites, it can also be done with EMR portals.Also quoted in the paper:

Research shows that surprisingly detailed sensitive user data can be reliably inferred from the web traffic of a number of high-profile, top-of-the-line web applications

Here’s looking at you, online EMRs.  A mutual friend and advisor for me and my client has been in the EMR business for 20 years and he is crazy over security. He strongly opposed any attempt to host Ankhos on the public Internet  (which was part of our original plan).  The bottom line is that encryption does not equal security. Security and data privacy are much harder to achieve than wrapping your traffic in encryption and putting ‘secure’ on your sales presentation.

Tags:, , , , ,
Posted in security, Software | Leave a Comment »

EHR security report from Canada

March 23, 2010

I have Schneier on Security in my reader and he posted something interesting about EHR security today (link). Apparently, the Canadian government did a big audit of the Vancouver Coastal Health Authority and its record-keeping practices. They found lots of worrisome things such as outstanding user accounts and unknown back-doors.

Apparently, many of these issues have been addressed but this audit puts in perspective how easy it is for a huge EHR system to over-grow its own security guidelines.

Tags:, , ,
Posted in Software | Leave a Comment »

Security: Public primary keys bad?

February 12, 2010

I’d like to talk about a security aspect of web apps in general. I’ll try to keep the industry buzzwords to a minimum for the non-programmers.

Ankhos is a web application, an asynchronous one, at that. Asynchronous web applications use many web addresses to load only parts of themselves at once. This can make things seem faster and more responsive to the user.

In any asynchronous web application, web addresses are flying around left and right.  These addresses aren’t typically seen by the user, but simple tools can tell you what these addresses are.  In order to submit a comment or retrieve patient information, we have to hit the server and that means loading a webpage behind the scenes. Here are some fake examples:

(more…)

Tags:, , , , , ,
Posted in Software | Leave a Comment »

Follow

Get every new post delivered to your Inbox.