Page 27 - index
P. 27
Data validation:
o Data validation has to be performed on both client and server sides.
o Protection from SQL Injection should be adjusted. Validation logic can be placed on
different levels of application. – this attack vector is still one of the simplest to protect
against but often exploited by cyber criminals
o Protection from Cross-site Scripting (XSS) should be arranged. – this attack vector
is still one of the simplest to protect against but often exploited by cyber criminals
Audit Log:
o Each operation/action with protected health information (PHI) record(s) like
Create/Update/View/Print/Download must be stored in Audit Log. The information
that has to be logged includes:
Who performed an operation/action?
When was an operation/action performed?
What operation/action was performed?
Which protected health information (PHI) record(s) was/were impacted?
How protected health information (PHI) record(s) was/were changed (as a
result of the Update operation)?
Patient’s identity.
o Each login action (successful and unsuccessful) in the system has to be logged in
Audit Log.
Data storage:
o System should not log any protected health information (PHI) data into unprotected
log storage;
o All protected health information (PHI) data that is stored locally (local storage,
cookies, etc.) must be encrypted;
o All passwords should be stored as hashed values;
o Data storage(s) must be backed up on a daily basis and can be recovered in case of
an emergency or accidental deletion. Regular backup procedure has to be
established.
If a system sends information elsewhere (for example, via email), then these
messages should also be backed up or archived. Make sure that the backups are
robust, available, and accessible only to authorized people.
o Access to data storage(s) should only be provided to authorized personnel:
All connection strings in Web/App configuration files or system registry have
to be encrypted;
All backups have to be stored in encrypted state.
27 Cyber Warnings E-Magazine – February 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
