Web Security Best Practices in Medical Informatics: OWASP Top 10
A lot of what the Medical Informatics division does for Frontiers, the KUMC CTSA program, is install, configure, maintain, support, enhance, or--in a few cases--build from scratch systems to manage data, facilitate work-flow, and enforce policy in clinical and translational research.
As our development team grows, it's increasingly important that everybody is up to speed on best practices in secure web application development.
A few months ago, I picked up a copy of The Tangled Web by Michal Zalewski because while I was a long-time participant in the development of the architecture and standards for the Web, I didn't follow a lot of the nitty gritty details as they developed. Who knew that Internet Explorer would take back-ticks (`) around attribute values in HTML? I do now, thanks to Zalewski.
I was chatting with a couple teammates about the risks around drupal customization, and I suggested that they should read this book too. That seemed daunting, but we agreed that a reading group around the book looked like fun.
When I got out the calendar to plan the first meeting, I looked at the first few chapters and realized that the tour of the foundations of the Web provided there would be great if we had started a couple months ago. Plus, the book is much more browser-focused, while a lot of what we do is back-end integration with databases and such.
The OWASP Top 10 Web Application Security Risks looks like a better fit where we are right now:
- Injection
- Cross-Site Scripting (XSS)
- Broken Authentication and Session Management
- Insecure Direct Object References
- Cross-Site Request Forgery (CSRF)
- Security Misconfiguration
- Insecure Cryptographic Storage
- Failure to Restrict URL Access
- Insufficient Transport Layer Protection
- Unvalidated Redirects and Forwards
I expect we'll follow up with The Tangled Web in due course.
Meanwhile, I notice there's a OWASP Kansas City chapter that meets Wed. Sept 12, 2012 6:30 PM at McCoys Foundry in Westport. That reminds me... we have an open position for a Biomedical Informatics Software Engineer.
HERON Cedar Bluff release incorporates procedure orders, note types, ICD9CM update
Cedar Bluff release includes bug fixes and introduces new data types to the repository.
- Procedure orders searchable. This included all procedure orders in O2, not just those ordered and fulfilled.
- Note types allows you to limit searches to only records with a particular type of note.
- Expected length of stay is a new quality measure added to the Length of Stay folder.
- Thanks to Oregon Health & Science University for help with Diagnosis Mapping from ICD9-CM in UMLS. (#441)
HERON Cedar Bluff Contents Summary
This month, our tour of rivers and lakes in Kansas honors Cedar Bluff Reservoir.
The HERON repository contains approximately 850 million real observations from the hospital, clinics, and research systems:
Observation | Patients | Source | Go-Live | Snapshot | Issues | |
---|---|---|---|---|---|---|
Demographics | 18.2M | 1.92M | ||||
KUH Billing (O2 via SMS) | 1980s | July 2012 | various* | |||
UKP Billing | 2000 | July 2012 | ||||
12.3K | 12.3K | Frontiers participant registry | Jun 2009 | July 2012 | ||
185K | 185k | Social Security Death Index | 1962 | July 2012 | ||
Diagnoses (IDC9) | 32.4M | 626K | ||||
KUH/O2/Epic | Nov 2007 | July 2012 | various* | |||
UKP Billing | 2000 | July 2012 | ||||
University HealthSystem Consortium (UHC) | Q4 2008 | June 2012 | ||||
Medications | 120M | 269K | ||||
KUH/O2/Epic | Nov 2007 | July 2012 | various* | |||
Nursing Observations | 502M | ? | ||||
KUH/O2/Epic | Nov 2007 | July 2012 | various* | |||
Lab Results | 76.8M | 271K | ||||
KUH/O2/Epic | 2003 | July 2012 | various* | |||
Procedure Orders | 50.5M | ? | ||||
KUH/O2/Epic | 2003 (?) | July 2012 | #1363, various* | |||
Procedures (CPT) | 10.2M | 559K | ||||
UKP Billing | 2000 | July 2012 | ||||
Reports/Notes | 2.32M | ? | ||||
KUH/O2/Epic | ? | July 2012 | #1363 | |||
Specimens | 33.4K | 3.13K | ||||
KUMC Biospecimen Repository | ? | July 2012 | ||||
Visit Details | 2.28M | |||||
KUH/O2/Epic | Nov 2007 | July 2012 | ||||
Cancer Cases | 9.4M | 64.3K | ||||
KUH Cancer Registry | 1950s | July 2012 | labels* | |||
Hospital Quality Metrics | 3.64M | 56.9K | ||||
University HealthSystem Consortium (UHC) | Q4 2008 | June 2012 | #1359, #1364 | |||
Triple Negative Breast Cancer Registry (BRCA) | 16.6K | 126 | ||||
REDCap | July 2011 | July 2012 | ||||
All | 851M |
Notice
Some material in the UMLS Metathesaurus is from copyrighted sources of the respective copyright holders. Users of the UMLS Metathesaurus are solely responsible for compliance with any copyright, patent or trademark restrictions and are referred to the copyright, patent or trademark notices appearing in the original sources, all of which are hereby incorporated by reference.
Beta Disclaimer
We are providing this early access to obtain feedback from you, the research community. While we are actively working on validating the data loaded into the system with hospital and clinic technical staff, there may be problems with our translation of data from our source systems (HospitalEpicSource and ClinicIdxSource) into HERON.
Please email us at heron-admin@kumc.edu if you discover information you believe may be erroneous.
We are actively working on enhancing the types of data included. Stay tuned to our roadmap to track progress toward upcoming releases.
Various Issues Still Apply
Keep in mind the issues noted in the original HERON beta notice, including:
- date shifting, part of our DeIdentificationStrategy
- age searching (#158)
Enhancements and Problems/Defects/Issues Addressed in this Release
No results
Outstanding Problems/Defects/Issues
Ticket | Summary | Keywords |
---|---|---|
#2301 | constraining birth-date by date doesn't work - HERON uses sysdate for start_date in demographics | public-web wrong-results training |
#2617 | Saved searches not updated in REDCap projects after Arkansas release | public-web redcap-to-heron |