Introduction

The Airius Risk Maturity Knowledgebase is intended to give you a snapshot of those things in the world affecting information risk for April 29th through May 5th, 2023.

From HealthIT . . .

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable Security Risk Assessment (SRA) Tool to help guide you through the process. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.

What is wrong with the Security Risk Assessment /SRA Toolkit?

HHS offers a tool "SRA TOOL" (Security Risk Assessment Tool | HealthIT.gov). It is a way to guide senior management within medical practices to act more responsibly with risk.

Windows ONLY

The problem is that it is only available for Windows. It is built in JAVA and could run anywhere. The packager makes it an MSI, and only that is proprietary.

Free, like the trojan horse

There are no license restrictions at all, so it is potentially public domain. The big problem is that it is closed. The source code is not shared. The design documents are not available for review. For the SRA tool to run, it needs to be installed on a Windows computer and used by someone that has access to lots of risk information regarding a healthcare practice. A free software application without any information regarding its constituent parts, how it operates and what the license obligations are can impose unanticipated risks on a practice risk manager.

A covered entity is fully responsible for ALL of the ePHI that is created and managed. As a result, vendor risk, and risk imposed through third party applications, solutions, software and hardware, needs to be carefully assessed.

This is a five year old project, built using Open Source JAVA packages, but with license information hidden.

The problem is that it is only available for Windows. It is built in JAVA and could run anywhere. The packager makes it an MSI, and only that is proprietary.

  • It is closed source
  • It is ONLY available for Windows because of the MSI packager
  • It is 100% old JAVA, not obfuscated, and poorly written

Disassembling the SRA tool

  1. Download the MSI file
  2. lessmsi-v1.10.0 to open the MSI file.
  3. Write the compiled code to a file. Now it will run as JAVA on Chromebook and MacOS.
  4. jd-gui-windows-1.6.6 to decompile the JAVA jars into sources.

Now we scan the code

Our team used Checkmarx to FINALLY do the one thing that has not been done in 5 years. Scan what is in this code.

.

Bill of Materials

Our friends at Revenera helped us to assess the extracted source code further.
They found 50 Open sourced projects with licenses including GPL2, Apache, BSD, MIT and more. The source is currently not available, there is no published license information and there is no third party attribution required by the licenses.

What does this mean?

The SRA Toolkit was built using a number of open sourced frameworks.

  1. License obligations - copyleft licenses, commonly like GPLv2, require attribution and source code to be distributed with the completed packages
  2. Vulnerabilities - installing this package does not include automatic vulnerability management. Nearly 30 vulnerabilities, including 8 severe ones, were found within the current release of the SRA Toolkit.
  3. Obfuscation - the package was intentionally modified to hide the sources, not include the attribution statements, not include the source, and hide exactly what is being used as part of this SRA Toolkit.
  4. Violation of security rule - it is impossible for a Covered Entity to determine the appropriate risk associated with this tool and its potential exposure to ePHI and critical risk management data.
  5. Supply Chain Integrity - users of this SRA Toolkit have no assurance regarding the provenance of the code that makes this tool. The analysis herein confirms that any trust in this tool would be misplaced, since it represents a number of severe operational risks.

What is an alternative to the JAVA SRA?

We built the Security Risk Assessment Toolkit online.

  1. Click Here >>> Free Risk Assessment <<<
  2. Up to 153 questions, 7 sections, like the JAVA SRA Toolkit
  3. Airius site is built around WordPress
  4. It is hosted through GoDaddy
  5. The Toolkit is built using Formidable Forms, a licensed plugin for WordPress
  6. Attribution is given to Health and Human Services throughout the Assessment
  7. The code is PHP, Javascript and Cascading style sheets. The code is not obfuscated, most of it can be reviewed by viewing page source, but we can do a private session and show any code that generates a page
  8. The SRA Toolkit generates graphs upon completion and a certificate. This has a score, a data and a list of all evidence provided
  9. We are available to assist at any time, but the basic SRA Toolkit is free

Conclusion

While it is admirable that the HHS and the ONC combined to make HIPAA compliance tools available, it is a shame that their effort was ill advised and potentially introduces significant risk to a user.

Our research used a number of tools:

  1. Checkmarx - We are Certified Sales Partners, Partner Engineers and Professional Service Engineers
  2. Revenera - (Formerly Palamida). They specialize in solutions that help companies understand what’s in the code they use and identifying security and license compliance issues.

The commercial and open sourced tools took a great deal of expertise to operate. This project took six weeks and involved ten engineers at three different companies. All of the commercial tools were properly licensed, and the realistic cost for this project would quickly exceed $70,000.

If you need help with achieving HIPAA compliance, you can contact us at info@airius.com.

We are a team of experts who can provide you with customized solutions and support for your HIPAA compliance needs. We can help you with:

  • Conducting a risk analysis and implementing security safeguards
  • Developing and updating policies and procedures
  • Training staff on HIPAA compliance
  • Monitoring and auditing your compliance activities
  • Responding to breaches or incidents
  • And more

Don’t wait until it’s too late. Contact us today and let us help you achieve HIPAA compliance with confidence and ease.

Regulatory compliance with Airius

Notable Mentions

We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources to helping us provide up-to-date information. Send your stories and announcements to knowledgebase@airius.com

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information.

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information. Can you translate the blog? Please reach out.

Ready to Help!

If we can help you with risk management, SOC reporting, an emergency or you just need guidance with INFOSEC, please reach out to us.

  • Ernest M. Park, Airius, LLC, 2023

License

More Info

References and Credits