PopMedNet Security Audit - 2013

Owned by Melanie Davies (Unlicensed)
Last updated: Aug 19, 2020 by Carolyn Purington (Unlicensed)

Security Audit

Overview

As a part of a project entitled "Health Care Systems Research Collaboratory Coordinating Center" (the "Project") awarded to Harvard Pilgrim Health Care Institute by Duke University ("Funding Agency") effective 30- September 2012 under Prime Award #U54AT007748 and CFDA # 93.213 (the "Prime Contract") with Richard Platt, as HPHC's Project Director, and Michael Sullivan as Cooperating Institution's (Lincoln Peak Partners, or LPP) Project Director and the “Harvard Pilgrim - Statement of Work Health Care Systems Research Collaboratory” which specifies a request from the United States Department of Health and Human Services National Institute of Health for an Independent Software Security Review, specifically:

“Lincoln Peak will contract with a trustworthy third party in order to perform an independent security audit/review of the PopMedNet version 3.x software. Upon completion of the security audit, Lincoln Peak will deliver the audit report and documentation of any issues found to Harvard Pilgrim.” 

An audit report and documentation of issues was prepared in response to the requirements detailed above. 

Pivot Point Security, which specializes in Application Security Code Reviews was selected as the third party auditor and provided with a complete source tree of the application, including components that are not deployed into production. Pivot Security performed a security review based on this source and provided a security report. LPP reviewed the report and  provided a response to each item.

Findings

In summary, the following critical defects were found, however since they are not part of the production deployment and so do not appear in any form on the production site, no remediation is required: 

  • Component defect in an artifact of our development process.
  • Component defect in a pilot program that is not intended for production use and not deployed to production sites.
  •  Defect in sample code that is not intended for production.

The following defects were found in third party components that are included with the application, but do not rise to the level of “critical”, “major”, “suspect”, or “minor”. Since these do not constitute critical issues no remediation is required: 

  • Defect in released versions of Microsoft .NET components included with the application.
  • Defect in released versions of Open Source components included with the application.

Two defects in the web configuration were also found. Since these defects are critical and they are in the production deployment of the application, remediation was required. A remediation plan was developed for each defect. These defects were resolved in the PopMedNet version 4.0.2 release.