Exploit vulnerabilities in CDA do not affect PCEHR core
The discovery of a set of vulnerabilities that could potentially lead to malicious content being added to clinical documents created using the clinical document architecture (CDA) standard is not a likely threat to the security of the PCEHR, a CDA expert says.
Last weekend, US physician and programmer Joshua Mandel revealed that he had discovered that certain style sheets used to display CDA documents in many commercially available electronic health record systems in the US could potentially leave those EHRs vulnerable to attacks from malicious code attached to CDA documents.
Dr Mandel alerted those vendors to the problem before revealing the vulnerabilities publicly, and has since provided an overview of three ways in which someone could potentially craft a malicious CDA document.
The vulnerabilities are of concern to Australian vendors of EHRs and secure messaging services, which also transfer CDA documents, as well as to the operators of the PCEHR, as CDA is used for all of the clinical documents uploaded to the system.
Australian CDA expert Grahame Grieve has posted a blog explaining the potential problem, which he says is not so much a CDA exploit as a problem related to the ubiquity of HTML.
Mr Grieve told a webinar organised by the Medical Software Industry Association (MSIA) that Dr Mandel had found the problem in some EHR systems that are in production use, and traced it to an HL7-designed style sheet, derivations of which are used by many EHR vendors as well as in the PCEHR to render CDA documents for viewing.
Mr Grieve said the problem was not an attack on the CDA itself but on the 'transform' used to view it.
“Technically, CDA is a static XML form that converts it to HTML form that you can write in the browser,” he said.
“The way you create this vulnerability is that you insert some content into the CDA that activates during the transform and does things that you do not expect once the HTML is loaded in the browser. So this is not an attack on CDA itself – it is an attack on the transform that people use to view the CDA.”
Mr Grieve – who emphasised that he was speaking as a member of the MSIA and not on behalf of NEHTA – said that in his opinion, while there was the potential to exploit this vulnerability, the threat profile for the PCEHR was very low.
“The PCEHR itself or any other CDA exchange system are completely unaffected by this,” he said. “The issue only arises when that transform runs and the documents are displayed. This includes any clinical system that views CDA documents, whether they come from the PCEHR or elsewhere, including the portals for the PCEHR, but the PCEHR core itself is not affected.
“To exploit this you need hacked CDA documents. Someone's got to hack CDA documents to get them in the system. Access to the PCEHR to upload documents is granted to a combination of a user, which is a person or an organisation, and to software. You can't just sit at home and try hacking this. You've basically got to compromise a certified system. Now that is possible, but it's much harder work than running scripts that pursue known exploits.”
Mr Grieve said the concern was not so much people hacking incoming documents to systems, or the PCEHR itself, but as a targeted attack on an individual user or their system.
“That is my assessment of the threat profile for the PCEHR and my evaluation is that it is extremely unlikely. There are a lot easier ways to attack a person than to take that route.”
However, he said there were concerns for software vendors outside of the PCEHR context, including for secure messaging vendors that use file-based transfer to transfer documents from clinical systems to message delivery systems, as it is potentially easier to get malicious CDA documents into that sort of system.
Mr Grieve said Dr Mandel had found three potential routes of attack. One is to use nonXMLbody or unstructured information that contains HTML. This is not allowed to be used in the PCEHR but could prove a problem for point-to-point secure messaging.
The third attack is a bigger problem as it involves using links to external references such as links to websites or images that are embedded in the document or as an attachment. There are some legitimate uses for external references and it is not known if any CDA document in the PCEHR at the moment contains them.
Mr Grieve said that while it was unlikely, this method could not be ruled out and that permission to upload CDA documents containing external references through some certified systems may be revoked. He said all vendors should look closely at this issue and that Dr Mandel was preparing some best-practice security tips to avoid this and other problems.
In a statement issued by NEHTA today, the organisation said there were known vulnerabilities with the exchange of any type of document that contains links to external systems or document types.
“Vendors are aware of these risks and there is guidance available for vendors to protect their users,” the NEHTA statement reads. “CDA is a new type of document and there is similar guidance available to support vendors to address risks in these document types. The PCEHR currently has in place a number of protection mechanisms that are also available to software vendors to test their point-to-point systems.”
Mr Grieve said that if a hacker wanted to attack the PCEHR, there were much more straightforward methods than “fiddling with CDA documents”.
“This is a hard attack,” he said. “It is very low efficiency. There are much easier ways to attack a system if you want to than to do this but what we are saying is that it is possible. [With] the PCEHR it would be an extremely hard but with point-to-point it would be somewhat easier and people do need to look at that.”
Asked if he thought it was possible to attack CDA documents through SQL injection, Mr Grieve said this was highly unlikely. He said the PCEHR was “highly armoured” against SQL injections, so much so that the security measures used to defend against this threat actually caused the noted problem of people with apostrophes in their names not being able to register when the system went live in 2012.
Mr Grieve has written a plain English article looking at the lessons learned in using CDA for the PCEHR in the April issue of Pulse+IT magazine.
Posted in Australian eHealth