blogheader-bg.jpg

Epiphany Healthcare Blog

Jim Stanczak

Recent Posts

Epiphany's CERT Response – 8 December 2015

Posted by Jim Stanczak on December 8, 2015 at 4:42 PM

Overview

On 1 December 2015, the CERT Coordination Center (“CERT/CC”) issued Vulnerability Note VU#630239 (https://www.kb.cert.org/vuls/id/630239)“Epiphany Cardio Server version 3.3 is vulnerable to SQL and LDAP injection.”  

The note described the following potential vulnerabilities to Epiphany’s Cardio Server version 3.3: 

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2015-6537 “A SQL command may be inserted into the login page URL, causing the unauthenticated user to be logged in as an administrator.” and 

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CVE-2015-6538 “An LDAP query may be inserted into the login page URL, causing Cardio Server to perform an LDAP query to the IP address of the attacker's choice.”  

These potential vulnerabilities were uncovered by penetration testing conducted by a 3rd party security firm. The testing was commissioned by a hospital on their Cardio Server 3.3 system. There is no evidence that either of these vulnerabilities were exploited on any of our installed systems around the world; there is no evidence that patient information was accessed or changed. A patch has been released for both of the potential vulnerabilities on affected versions.

Both vulnerabilities require that the attacker have a valid user name on the Cardio Server system. Customers with affected Cardio Server versions that have login screens exposed directly to the Internet may have a higher risk of exposure to this vulnerability.

Upon further review of these potential vulnerabilities, it has been determined that:

  • The SQL Injection vulnerability only affects Cardio Server version 3.3; and
  • The LDAP Injection vulnerability only affects Cardio Server version 3.3, 4.0 and 4.1.

Patches to eliminate these vulnerabilities for Cardio Server version 3.3, 4.0 and 4.1 are available from Epiphany Healthcare.  

1st Vulnerability Scenario—SQL Injection

“A SQL command may be inserted into the login page URL, causing the unauthenticated user to be logged in as an administrator.”

Vulnerability Mitigation

  • This potential vulnerability is only present in Cardio Server version 3.3. A patch to close the vulnerability is available. 

  • The potential vulnerability is limited to affected Cardio Server systems where a login page is displayed. If your facility uses a single sign-on solution that never presents the Cardio Server login screen to the user, this vulnerability does not apply.

2nd Vulnerability Scenario—LDAP Injection

“An LDAP query may be inserted into the login page URL, causing Cardio Server to perform an LDAP query to the IP address of the attacker's choice.”

Vulnerability Mitigation

  • This potential vulnerability may exist in Cardio Server versions 3.3, 4.0 and 4.1.  A patch to close the vulnerability exists for each version.

  • The potential vulnerability is limited to affected Cardio Server systems where the login page displays a domain-selection, drop-down menu. 

  • If your system does not display a domain-selection, drop-down menu on the login page, this vulnerability does not apply.

  • If your facility uses a single sign-on solution that never presents the Cardio Server login screen to the user, this vulnerability does not apply.

Summary

Epiphany takes its customers’ security seriously. We apologize for any inconvenience this may have caused. We have patches available for the above-named vulnerabilities. 

We have no evidence that any patient information was accessed. 

Most Cardio Server systems reside inside of our end-users’ firewalls with all the appropriate firewall protections that our end users deploy. Cardio Server login screens that are directly available from the internet are at higher risk.

Epiphany performs thorough verification and validation on each version release. Our last Cardio Server version release included ~5,000 test steps on six browsers totaling ~30,000 completed test steps.

If you are a Cardio Server 3.X customer and your system is running on Windows Server 2003, we highly recommend that you upgrade to Cardio Server version 5.0, which supports Windows Server 2008 R2 or Windows Server 2012 R2. We believe that any Cardio Server systems running under Windows Server 2003 are subject to potential security risks associated with the EOL status of Windows Server 2003.

Action

Please contact Epiphany’s Vice President of Professional Services, Kelli Sudduth, with any questions you may have, including requesting patches for your Cardio Server. Kelli’s number is: (919) 354-5050 or kellisudduth@epiphanyhd.com.

Topics: Epiphany, Cardio Server security, security, cert

Epiphany’s PDF Naming Wizard -- Powerhouse of Integration Modules

Posted by Jim Stanczak on March 6, 2014 at 2:00 PM

Our customers get it. They get what we do and its profound impact on healthcare.  Sometimes they share their insight with us on how to convey the power of Cardio Server to others.  

What follows is insight received from Frank Piwarski, Senior Integration Analyst, at the International Heart Institute of Montana in a recent e-mail exchange where Frank encouraged us to promote one of our features that makes Epiphany unique.

Frank, who has been working with Epiphany since 2008, wrote:

“It’s odd. One of the most important modules you have is one that you wouldn’t expect to have so much value. 

It's the PDF Naming Wizard. It completes the EMR.  It allows Epiphany to take in PDFs of diagnostic test results that are randomly named and convert them into well-named exams with patient demographics, modality designations, date and time stamps, and physician interpretations.

With a couple of clicks, you can change “6000000000_2014020412340000.pdf” into “holter_dennis_oates_20140204.pdf!” No document scanning. No manual indexing. Takes very little time.

That's it; the PDF Wizard is the powerhouse of modules!! I kid you not. Because you can say that if a result can be saved as a PDF, you can put it into your EMR. Today this means everything.

This module makes you different in the industry. No one else can say "All" and "into the EMR" in one sentence but you guys.

Transition, integration, accommodation of future results, growth, flexibility, low bar, low costs, one view, seamless.

Your mission statement with the “consolidated EMR interface” phrase is on the money.  You work the Cardio Server interfaces once, and then use them over and over with the many modalities.  Cardio Server is like a PACS, able to accept results from multiple vendors’ equipment, but it goes one step further with the PDF Wizard.

It's Noah's Ark, it takes all comers, properly onboards them all, and helps create the one comprehensive overview of all comers, it massively helps complete the patient record.

This will change lives, change outcomes, speed decisions, it's a clarity that only Cardio Server, the Ark of EMR results, can promise.

~ Frank”
 

            Sign Up for a Demonstration        

Topics: ECG software, Cardio Server, PDF Naming Wizard, ECG management

LifeNet exports to Epiphany’s Cardio Server

Posted by Jim Stanczak on April 25, 2011 at 2:14 PM

New at ACC 2011, Epiphany's Cardio Server ECG Management System accepts STEMI exports (12-lead ECGs) from Medtronic’s Physio Control LifeNet in the native GE Hilltop format. LifeNet is a web-based platform designed to share emergent patient information between Emergency Medical Services (EMS) and hospital care teams. GE Hilltop exports include all the raw data points and interpretations of a STEMI cardiogram performed on a LifePak defibrillator, which is far more informative than a static PDF export. 

LifeNet2With the raw data points that come from a LifePak defibrillator, Epiphany users can apply horizontal calipers to get precise measurements of ST amplitudes in any or all of the 12 leads.
With the interpretations that come from the LifePak defibrillators, Epiphany users can use serial comparison tools to help distinguish true STEMIs from other morphologies that mimic STEMIs, and then use this information to determine the best triage plan for patients. 

Topics: GE Hilltop format, LifePak defibrillator, Physio Control, Medtronic, LifeNet exports to Epiphany's Cardio Server

Posts by Tag

see all

Follow Us: