Full Disclosure mailing list archives
NIST Electronic Health Record Approved Test Procedures Version 1.0
From: Shawn Merdinger <shawnmer () gmail com>
Date: Fri, 22 Oct 2010 12:26:05 -0400
Hi FD, "The list below contains the Approved Test Procedures, Version 1.0, for evaluating conformance of complete EHRs and/or EHR Modules to the initial set of standards, implementation specifications, and certification criteria defined in the Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria published on July 13, 2010." [1] An example of testing under the "170.302.t Authentication" criteria [2] <snip> This test procedure consists of one section: Verify authorization– evaluates the capability to verify that a person or entity seeking access to electronic health information is the one claimed and is authorized o The Tester creates a new user account and assigns permissions o The Tester performs an action authorized by the assigned permissions and verifies that the authorized activity was performed o The Tester performs an action that is not authorized by the assigned permissions and verifies that the action was not performed o The Tester deletes (e.g., deactivates or disables) the user account o The Tester attempts to login to the account and verifies that the login attempt failed </snip> Fwiw, we'll likely need more work on these kinds of requirements if testing is even going to begin to address issues such as, for example, McKesson's use of hardcoded passwords. [3] After all, a good chunk of the American Recovery and Investment Act of 2009 is going to towards health IT investments and incentives. [4] Electronic Health Record search at www.recovery.gov [5] Cheers, --scm [1] http://healthcare.nist.gov/use_testing/finalized_requirements.html [2] http://healthcare.nist.gov/docs/170.302.t_Authentication_v1.0.pdf [3] http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2009-10/msg00140.html [4] http://en.wikipedia.org/wiki/American_Recovery_and_Reinvestment_Act_of_2009#Healthcare [5] http://www.recovery.gov/espsearch/Pages/default.aspx?k=EHR _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NIST Electronic Health Record Approved Test Procedures Version 1.0 Shawn Merdinger (Oct 22)