Assessment & Compliance Services Division

Purpose Driven Security

Innovative Web Application Proven Secure

CASE STUDY: ALLSCRIPTS

Through its leadership role within NEPSI (National e-Prescribing Patient Safety Initiative), Allscripts has led the
initiative toward electronic prescribing of medication by allowing free access to its eRx NOW TM web application.
In order to gain acceptance, it was crucial that Allscripts’ web application be secure and used only by
authorized personnel. As the core application transmits, stores and processes ePHI (electronic private health
information), business risks existed at multiple levels including: exposed protected information, legal liabilities,
and reputation.
Why Halock….

Allscripts had already performed its due diligence in assessing and testing the eRx NOWTM web
application per regulation guidelines. It was Allscripts’ desire, however, to continue the testing and
security assessment process at a more comprehensive level with an outside information security
expert. Members of Halock’s assessment team and
Allscripts’ CTO met to further discuss the intent and
scope of a more in-depth assessment aimed at the
eRx NOWTM web application layer and personnel
security awareness.

Primary Assessment Objectives:

During the pre-assessment process, Halock and Allscripts determined the following primary objectives:

Exploit any vulnerabilities associated with Allscripts’ eRx

NOWTM web application through ethical hacking (external)
Evaluate Allscripts’ security awareness through remote social
engineering
Observe Allscripts’ incident response as a course of the above
assessment examination efforts
 The Result:

After performing the assessment, Halock

determined that Allscripts’ eRx NOWTM web
application contained no serious technical
vulnerabilities within the operating system or
platform. Additionally, Halock was unsuccessful
in remotely bypassing perimeter access control either through technical vulnerabilities or social
engineering, Finally, the procedural controls in place at the Allscripts’ help desk reduced the risk that
an attacker could gain access to the eRx NOWTM web application as a new user and order prescription
medication.

The Ongoing Commitment:

Allscripts’ vision of having all prescriptions

written and delivered electronically is being
realized with its eRx NOWTM web application. In order to achieve ubiquity though, it is important to
prove to the user and consumer base that the eRx NOWTM web application is secure and will continue
to be. Moreover, Allscripts is committed to following information security best practices for each and
every application it develops and markets. In order to achieve Allscripts’ commitment to information
security, Halock continues to provide on-going consulting services such as: vulnerability testing,
ethical hacking, social engineering, and source code review.
Allscripts is the leading U.S. provider of clinical software,
connectivity and information solutions that physicians and other
healthcare professionals use to improve patient care. Across the
country, more than 30,000 physicians in some 3,500 health
organizations ranging from solo doctor’s offices to acute care
hospitals use Allscripts solutions to deliver improved care at
lower cost. Allscripts is comprised of three business groups, all
leaders and innovators in the markets they serve: Client Solutions
Group, Physicians Interactive Group and Medication Services
Group. Headquartered in Chicago, Allscripts employs nearly 1,000
people across the nation dedicated to delivering medication
services and health information technology solutions that touch
the lives of patients in every healthcare setting.
www.allscripts.com
About Web Application Security:
Text:
Bullet – Info
Bullet – Info
1834 Walden Office Square Suite 150
Halock Security Labs, is a full service Security Risk Management
consulting firm focused on leveraging the ISO 27001 standard for
information security best practices. Founded in 1996 Halock
Security Labs (formerly Remington Associates), has assisted
clients in securing their networks and applications while meeting
their security requirements in confidentiality, integrity, availability,
and compliance. Halock service teams include Governance &
Strategy, Assessment & Compliance, PCI Compliance & Validation,
Network & Systems Security, as well as Application Security.
Halock’s client base is centered around healthcare, retail, and
finance. www.halock.com
About Halock Assessment & Compliance Services:
* Schaumburg, IL 60173 * 847.221.0200 * www.halock.com