We are a consulting company specialising in SAP services, IT outsourcing and software development. We support our clients' businesses. That is the reason for our motto to be: IT makes business better

We are part of SNP Group, world leader in transformation of SAP environments

Since 1995 we have successfully accomplished hundreds of IT project in many countries worldwide.

"Better Business" is an SNP magazine for customers. Read hundreds of articles, useful in preparation and realization of IT projects.

Dlaczego uważamy, że SNP jest dobrym pracodawcą? Bo łączymy cechy rzadko spotykane w jednej organizacji - duże możliwości rozwoju, a zarazem dobrą atmosferę i elastyczność środowiska pracy. Dowiedz się więcej, na czym to polega w praktyce!

Seamless Medical Systems: Ethical hacking increases application security

Penetration testing for the software company Seamless Medical Systems

Share
Professionally developed software not only performs the planned business functions but also ensures the security of the data being processed. The importance of the security aspect grows with the criticality of the data available in the system. Penetration testing verifies the level of security in a practical manner and allows you to detect even the vulnerabilities overlooked by software architects, developers and testers, or that are not directly related to the quality of the source code.

Seamless Medical Systems provides specialized applications for the medical industry. The functionalities on offer include mobile patient registration, queue management, insurance verification and payment collection, patient education and ongoing communication. The software is fully integrated with leading EMR (Electronic Medical Record) systems and meets HIPAA  (Health Insurance Portability and Accountability Act) requirements.

Due to the processing of especially sensitive data, both for users of the system and its manufacturer, a key aspect of software quality is the broadly defined confidentiality of information.

A trusted hacker for rent

The optimal method of system security verification has turned out to be ethical hacking proposed by SNP – a service consisting in detailed, methodical testing of applications for errors and vulnerabilities. Thanks to the high competence of SNP security consultants and specialized tools used, this practical attempt to break the security of the system enabled the security of data to be checked in a much broader context than just the area for which the programmers are responsible. Both applications and their environment (including servers), and even client tablets used by patients were tested.

Security of applications

Penetration tests were performed for 8 web applications. The comparability of results and the repeatability of the test were ensured by the recognized guidelines: Open Web Application Security Project (OWASP) Testing Guide v4 and National Institute of Standards and Technology Special Publication 800-115 (NIST SP 800-115).

The use of a number of tools supporting the pentester’s work enabled effective verification of such areas as:

  • the correctness of encrypting data transmitted over the Internet,
  • management of system users (creating, assigning, resetting passwords, etc.),
  • a response of applications to incorrect (including swapped) data,
  • a method and security of data (including temporary data) storage.

Security of patient devices

Another test scenario was the loss of a tablet (including theft). The possibility of using a device to access the medical data of its legitimate user or other system users was analyzed. The correctness of setting up and closing a client-server session as well as the scope and manner of storing data in the device memory were verified among other things.

Project step by step

Penetration testing of applications was carried out in several stages during which scenarios agreed with the Customer were implemented. The scope of work included a test environment and – for the avoidance of any doubt – a production one.
In order to ensure a standardized manner of execution, the security testing was performed according to the following methodologies:

  • OWASP Open Web Application Security Project) Testing Guide, version 4
  • National Institute of Standards and Technology Special Publication 800-115 (NIST SP 800-115)

The work was started in a black box mode, i.e. without the pentester’s knowledge about the system tested. The possibility of unauthorized access to the system and unauthorized acquisition of sensitive information was analyzed.

The scenario was as follows:

  • collection of data on an application, systems and infrastructure,
  • an enumeration process,
  • scanning the infrastructure with vulnerability scanners.

In the next part of the test, the applications were tested using known accounts with roles of individual system users (gray-box testing). At this stage of tests, the following elements were verified:

  • login forms and handling of roles,
  • authorization mechanisms,
  • session management,
  • validation of input data and vulnerability to injection attacks,
  • error handling,
  • cryptographic mechanisms,
  • business logic of applications,
  • the possibility of an application client’s browser attack.

The summary of the tests was a report documenting all activities performed, and the system security confirmation in the form of a certificate.

Privilege escalation

Another element of the penetration test was the verification of an unauthorized person’s ability to access the data by obtaining a higher level of privileges than those assigned to a given user. The check was made, among others, through the improper use of application forms and modifications of URL addresses.

Summary

The final product of the tests carried out was a comprehensive report documenting the actions taken and the results obtained. The system security was confirmed by the certificate issued by SNP. For customers of Seamless Medical Systems, it proves that applications are created with due care for the confidentiality and integrity of data.

Anthony Brooke, Co-founder & CTO, Seamless Medical Systems Inc

Total security program
A core component of any HIPAA compliment technology platform includes periodic penetration testing by qualified third party. Penetration testing is testing is simply industry best practice and BCC Group is an integral part of our total security program.
Anthony Brooke, Co-founder & CTO, Seamless Medical Systems Inc
Seamless Medical Systems Inc. is a U.S. company providing software for healthcare institutions and patients. A modular, mobile platform saves time, increases staff efficiency, and improves medical care standards. System users include health centers, clinics, individual medical practices.

See the case study in other language version

The same content is available in other language:

See the case study - Polish

See the case study - German

Share

Whitepapers

Contact form





  1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation
  2. The data controller is SNP Poland Sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: dpo.pl@snpgroup.com.
  3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
  4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
  5. Any person providing personal data shall have the right of access to and rectification, erasure, restriction of processing, the right to object to the processing and to the transfer of data, the right to restriction of processing and the right to object to the processing, the right to data transfer.
  6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
  7. Personal data may be made available to other entities from the group that SNP Poland Sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. SNP Poland ensures that the data provided to these entities is properly secured, and the person whose data is processed has the right to obtain a copy of the data provided and information on the location of the data provision.

Please write an email or call

E-mail office.pl@snpgroup.com
Phone +48 61 827 7000

SNP Poland Sp. z o.o.

Headquarter:
Złotniki, ul. Krzemowa 1
62-002 Suchy Las near Poznań, Poland

How can we help?
Write us
Send email
Call us





  1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation
  2. The data controller is SNP Poland Sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: dpo.pl@snpgroup.com.
  3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal.
  4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
  5. Any person providing personal data shall have the right of access to and rectification, erasure, restriction of processing, the right to object to the processing and to the transfer of data, the right to restriction of processing and the right to object to the processing, the right to data transfer.
  6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, which is the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw).
  7. Personal data may be made available to other entities from the group that SNP Poland Sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. SNP Poland ensures that the data provided to these entities is properly secured, and the person whose data is processed has the right to obtain a copy of the data provided and information on the location of the data provision.

General contact for the company
office.pl@snpgroup.com

Question about products and services
info.pl@snpgroup.com

Question about work and internships
kariera@snpgroup.com

+48 61 827 70 00

The office is open
Monday to Friday
from 8am to 5pm

0.5826 seconds.