• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
 
Assessment & Compliance Services Division
Innovative Web Application Proven Secure
Purpose Driven Security 
CASE STUDY: ALLSCRIPTS
T
hrough its leadership role within NEPSI (National e-Prescribing Patient Safety Initiative), Allscripts has led theinitiative toward electronic prescribing of medication by allowing free access to its eRx NOW
TM
web application.
In order to gain acceptance, it was crucial that Allscripts’ web application be secure and used only by
authorized personnel. As the core application transmits, stores and processes ePHI (electronic private healthinformation), business risks existed at multiple levels including: exposed protected information, legal liabilities,and reputation.
 
 
 Why Halock….
 
Allscripts had already performed its due diligence in assessing and testing the eRx NOW
TM
web
application per regulation guidelines. It was Allscripts’ desire, however, to continue the testing and
security assessment process at a more comprehensive level with an outside information security
expert. Members of Halock’s assessment team andAllscripts’ CTO met to further discuss the intent and
scope of a more in-depth assessment aimed at theeRx NOW
TM
web application layer and personnelsecurity awareness.
Primary Assessment Objectives:
During the pre-assessment process, Halock and Allscripts determined the following primary objectives:
Exploit any vulnerabilities associated with Allscripts’ eRx
NOW
TM
web application through ethical hacking (external)
 
Evaluate Allscripts’ security awareness through remote social
engineering
Observe Allscripts’ incident response as a course of the above
assessment examination efforts
 
 
 
The Result:
After performing the assessment, Halock
determined that Allscripts’ eRx NOW
TM
webapplication contained no serious technicalvulnerabilities within the operating system or platform. Additionally, Halock was unsuccessfulin remotely bypassing perimeter access control either through technical vulnerabilities or social
engineering, Finally, the procedural controls in place at the Allscripts’ help desk reduced the risk that
an attacker could gain access to the eRx NOW
TM
web application as a new user and order prescriptionmedication.
The Ongoing Commitment:
Allscripts’ vision of having all prescriptions
written and delivered electronically is beingrealized with its eRx NOW
TM
web application. In order to achieve ubiquity though, it is important toprove to the user and consumer base that the eRx NOW
TM
web application is secure and will continueto be. Moreover, Allscripts is committed to following information security best practices for each and
every application it develops and markets. In order to achieve Allscripts’ commitment to information
security, Halock continues to provide on-going consulting services such as: vulnerability testing,ethical hacking, social engineering, and source code review.
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...