Information Security Testing
- Sara Di Gregorio
Step ID | Description | Precondition | Expected Results | Actual Results | Pass or Fail | Notes |
|---|---|---|---|---|---|---|
1 | OS Version | EMR system in installed and working | Latest release version of Ubuntu OS installed with all up-to-date security patches. |
|
|
|
2 | Data encryption strength | Available encryption program to encrypt critical data. | 1.Data’s is encrypted using the Linux operating systems disk encryption (LUKS encryption type – Linux) Unified Key Setup or equivalent. This ensure that the data is encrypted to a strength of at least 128bits with 256 bits preferred
2.Obtain signoff from Practice if hard drive encryption is not done for any reason. |
|
|
|
3 | Encrypting critical data on removable media. Any device that stores patient data has to be encrypted. This applies to USB memory sticks, tape, CD-RW or DVDs. Encryption of data must be the default way to store data outside of the server | EMR data is transferred onto a portable device. | 1.Use of an encryption program (TrueCrypt or Bit locker is recommended)
2.USB stick (or other removable media) is encrypted.
3.USB stick is kept in safety box that is physically secure and tracked to ensure information integrity. |
|
|
|
4 | Secure maintenance of all keys for decryption of critical data` | Encryption of critical data must occur. | 1.Written or soft decryption keys should be kept in a physical or virtual safety box respectively for Security. 2.The decryption keys should be provided to staff on a need to know basis depending on job function. 3.At least two people know where the keys are kept. Should have access to them. |
|
|
|
5 | RAID setup verification | Main server setup with RAID for data mirroring | 1.Check RAID setting and logs to confirm RAID software/hardware working properly. |
|
|
|
|
|
| 1.Confirm disks are mirrored by making change in OSCAR and observed the database in the mirror drive has been updated. 2.for hot swap drives servers, pull mirrored disk out (second hard drive) make changes to OSCAR (update patient info.) Insert second hard drive back to observe RAID recovery. Configure RAID software as necessary on eth hot swap process. |
|
|
|
|
|
|
|
|
|
|
1 | Firewall and Port security | Network access setup, OSCAR system in production | 1.Confirm router firewall is up. 2.Confirmed restricted port access (11042 or secure port and port 22 are only allowed or equivalent)
2.Limit access to the server to ports 22 and 11042 |
|
|
|
|
|
|
|
|
|
|
1 | Station lock | OSCAR system in production | 1.Confirm OSCAR work station has configured timeout lock that require user password to unlock. 2. confirm that work station user is either not able to change the timeout lock or are trained not to change that setting.
|
|
|
|
|
|
|
|
|
|
|
1 | Application time out | OSCAR system in production | 1.Confirm OSCAR server Tomcat setting that user session is terminated in 30 minutes or less when there is no activity. 2. Confirmed user is trained to close the browser or logout when they are away from the workstation for extended period of time. |
|
|
|