Details
-
Change Request
-
Resolution: Persuasive with Modification
-
Medium
-
US Da Vinci HRex (FHIR)
-
current
-
Clinical Interoperability Council
-
HRex Member Match Operation
-
-
Bob Dieterle / Jay Lyle : 13-0-0
-
Clarification
-
Compatible, substantive
-
Yes
Description
It's straight-forward for hackers to get access to a set of matching demographics (name, gender and date of birth). So one of the key elements of a match is matching on the insurance card information. In theory, a malicious actor could brute force calls to member match until they found the correct card numbers and then be positioned to access information improperly. (Knowledge about age at enrollment (e.g. start of employment) could sometimes reduce the size of the number space to be brute forced.)
The specification should include something like:
"Servers SHALL monitor for and take measures to prevent brute force attacks where the same or similar set of demographics are repeatedly searched with differing card information in an attempt to achieve a match when the card information is unknown."
Attachments
Issue Links
- mentioned in
-
Page Loading...