Posts for the month of August 2012

Web Security Best Practices in Medical Informatics: OWASP Top 10

A lot of what the Medical Informatics division does for Frontiers, the KUMC CTSA program, is install, configure, maintain, support, enhance, or--in a few cases--build from scratch systems to manage data, facilitate work-flow, and enforce policy in clinical and translational research.

As our development team grows, it's increasingly important that everybody is up to speed on best practices in secure web application development.

A few months ago, I picked up a copy of The Tangled Web by Michal Zalewski because while I was a long-time participant in the development of the architecture and standards for the Web, I didn't follow a lot of the nitty gritty details as they developed. Who knew that Internet Explorer would take back-ticks (`) around attribute values in HTML? I do now, thanks to Zalewski.

I was chatting with a couple teammates about the risks around drupal customization, and I suggested that they should read this book too. That seemed daunting, but we agreed that a reading group around the book looked like fun.

When I got out the calendar to plan the first meeting, I looked at the first few chapters and realized that the tour of the foundations of the Web provided there would be great if we had started a couple months ago. Plus, the book is much more browser-focused, while a lot of what we do is back-end integration with databases and such.

The OWASP Top 10 Web Application Security Risks looks like a better fit where we are right now:

  1. Injection
  2. Cross-Site Scripting (XSS)
  3. Broken Authentication and Session Management
  4. Insecure Direct Object References
  5. Cross-Site Request Forgery (CSRF)
  6. Security Misconfiguration
  7. Insecure Cryptographic Storage
  8. Failure to Restrict URL Access
  9. Insufficient Transport Layer Protection
  10. Unvalidated Redirects and Forwards

I expect we'll follow up with The Tangled Web in due course.

Meanwhile, I notice there's a OWASP Kansas City chapter that meets Wed. Sept 12, 2012 6:30 PM at McCoys Foundry in Westport. That reminds me... we have an open position for a Biomedical Informatics Software Engineer.

HERON Cedar Bluff release incorporates procedure orders, note types, ICD9CM update

Cedar Bluff release includes bug fixes and introduces new data types to the repository. 

  • Procedure orders searchable. This included all procedure orders in O2, not just those ordered and fulfilled.
  • Note types allows you to limit searches to only records with a particular type of note.
  • Expected length of stay is a new quality measure added to the Length of Stay folder.
  • Thanks to Oregon Health & Science University for help with Diagnosis Mapping from ICD9-CM in UMLS. (#441)

HERON Cedar Bluff Contents Summary

This month, our tour of rivers and lakes in Kansas honors Cedar Bluff Reservoir.

The HERON repository contains approximately 850 million real observations from the hospital, clinics, and research systems:

Observation Patients Source Go-Live Snapshot Issues
Demographics 18.2M 1.92M
KUH Billing (O2 via SMS) 1980s July 2012 various*
UKP Billing 2000 July 2012
12.3K 12.3K Frontiers participant registry Jun 2009 July 2012
185K 185k Social Security Death Index 1962 July 2012
Diagnoses (IDC9) 32.4M 626K
KUH/O2/Epic Nov 2007 July 2012 various*
UKP Billing 2000 July 2012
University HealthSystem Consortium (UHC) Q4 2008 June 2012
Medications 120M 269K
KUH/O2/Epic Nov 2007 July 2012 various*
Nursing Observations 502M ?
KUH/O2/Epic Nov 2007 July 2012 various*
Lab Results 76.8M 271K
KUH/O2/Epic 2003 July 2012 various*
Procedure Orders 50.5M ?
KUH/O2/Epic 2003 (?) July 2012 #1363, various*
Procedures (CPT) 10.2M 559K
UKP Billing 2000 July 2012
Reports/Notes 2.32M ?
KUH/O2/Epic ? July 2012 #1363
Specimens 33.4K 3.13K
KUMC Biospecimen Repository ? July 2012
Visit Details 2.28M
KUH/O2/Epic Nov 2007 July 2012
Cancer Cases 9.4M 64.3K
KUH Cancer Registry 1950s July 2012 labels*
Hospital Quality Metrics 3.64M 56.9K
University HealthSystem Consortium (UHC) Q4 2008 June 2012 #1359, #1364
Triple Negative Breast Cancer Registry (BRCA) 16.6K 126
REDCap July 2011 July 2012
All 851M


Some material in the UMLS Metathesaurus is from copyrighted sources of the respective copyright holders. Users of the UMLS Metathesaurus are solely responsible for compliance with any copyright, patent or trademark restrictions and are referred to the copyright, patent or trademark notices appearing in the original sources, all of which are hereby incorporated by reference.

Beta Disclaimer

We are providing this early access to obtain feedback from you, the research community. While we are actively working on validating the data loaded into the system with hospital and clinic technical staff, there may be problems with our translation of data from our source systems (HospitalEpicSource and ClinicIdxSource) into HERON.

Please email us at if you discover information you believe may be erroneous.

We are actively working on enhancing the types of data included. Stay tuned to our roadmap to track progress toward upcoming releases.

Various Issues Still Apply

Keep in mind the issues noted in the original HERON beta notice, including:

Enhancements and Problems/Defects/Issues Addressed in this Release

No results

Outstanding Problems/Defects/Issues