Text

Security Assessment pada Sistem Informasi Manajemen Kesehatan Khanza Berbasis Static Application Security Testing (SAST)

---

Abstrak:
Perkembangan zaman yang semakin pesat memiliki dampak yang luas terhadap sistem elektronik. Berbagai aspek kehidupan sedikit demi sedikit terdigitalisasi, mulai dari administrasi pemerintahan, perkantoran, dan lain-lain. Adanya pandemi COVID-19 juga turut menjadi faktor penting peralihan sistem manual menjadi sistem digital, misalnya pada Infrastruktur Informasi Vital (IIV). Sektor kesehatan merupakan salah satu sektor IIV yang menjadi tujuan utama kejahatan siber. Mayoritas serangan yang terjadi memiliki tujuan untuk mencuri data pasien untuk monetisasi data atau melakukan kerusakan pada sistem elektronik terkait. Contoh bentuk penyelenggaran IIV pada sektor kesehatan, terkhusus pada rumah sakit merupakan Sistem Informasi Manajemen Rumah Sakit (SIMRS). SIMRS memiliki data-data sensitif seperti rekam medis, diagnosis, hasil pemeriksaan laboratorium, resep obat hingga pembayaran menjadikannya target pencurian data oleh peretas. SIMKES Khanza adalah sebuah aplikasi sistem informasi manajemen kesehatan yang dimanfaatkan oleh puskesmas, klinik, rumah sakit, serta praktik mandiri yang bisa didapatkan secara gratis dan open source. Belum adanya pengujian keamanan atau security assessment pada aplikasi SIMKES Khanza yang memuat data-data sensitif menjadi alasan utama dilakukannya penelitian ini. Penelitian memiliki lima tahapan utama yaitu reviewing, examination, testing, analysis, dan pemberian rekomendasi perbaikan. Pemindaian kerentanan dilakukan dengan metode Static Application Security Testing (SAST). Kerentanan yang terpindai selanjutnya akan dikelompokkan berdasarkan OWASP Top 10 Desktop Application Security Risks 2021. Berdasarkan hasil pemindaian kerentanan, ditemukan lima buah kerentanan yang terpindai dan dilakukan pembuktian terhadap empat di antaranya dikarenakan salah satunya merupakan false positive. Keempat kerentanan tersebut antara lain Paswordless Database, Disable Server Hostname Verification on SSL/TLS Connection, Disable Server Certificate Validation on SSL/TLS Connection, dan Crypto Bad Mac dan masuk ke dalam OWASP Top 10 Desktop Application Security Risks. Berdasarkan hasil analisis dan perhitungan dengan menggunakan OWASP Risk Assessment Calculator menghasilkan bahwa terdapat satu kerentanan dengan tingkat keparahan high dan tiga lainnya dengan tingkat keparahan medium. Rekomendasi perbaikan yang dapat diberikan antara lain seperti pemberian password yang kuat dan penerapan pembatasan pada user privilege, perubahan beberapa parameter pada kerentanan disable server hostname verification on SSL/TLS connection dan disable server certificate validation on SSL/TLS connection, serta penggunaan algoritma hash yang lebih kuat pada kerentanan crypto bad mac.
Abstract:
The rapid development of the era has a broad impact on electronic systems. Various aspects of life are digitized little by little, starting from government administration, offices, and others. The existence of the COVID-19 pandemic has also been an important factor in the transition from manual systems to digital systems, for example in the Vital Information Infrastructure (IIV). The health sector is one of the IIV sectors which is the main target of cybercrime. The majority of attacks that occur have the goal of stealing patient data for data monetization or to damage related electronic systems. An example of the implementation of IIV in the health sector, especially in hospitals is the Hospital Management Information System (SIMRS). SIMRS has sensitive data such as medical records, diagnoses, laboratory test results, drug prescriptions and payments, making it a target for data theft by hackers. SIMKES Khanza is a health management information system application used by puskesmas, clinics, hospitals, as well as independent practice which can be obtained free of charge and is open source. The absence of security testing or security assessment on the SIMKES Khanza application which contains sensitive data is the main reason for conducting this research. The research has five main stages, namely reviewing, examination, testing, analysis, and providing recommendations for improvement. Vulnerability scanning is carried out using the Static Application Security Testing (SAST) method. The scanned vulnerabilities will then be grouped based on the OWASP Top 10 Desktop Application Security Risks 2021. Based on the results of the vulnerability scan, five scanned vulnerabilities were found and four of them were verified because one of them was a false positive. The four vulnerabilities include Passwordless Database, Disable Server Hostname Verification on SSL/TLS Connection, Disable Server Certificate Validation on SSL/TLS Connection, and Crypto Bad Mac and are included in the OWASP Top 10 Desktop Application Security Risks. Based on the results of analysis and calculations using the OWASP Risk Assessment Calculator, it results that there is one vulnerability with high severity and three others with medium severity. Recommendations for improvements that can be given include providing strong passwords and applying restrictions on user privileges, changing several parameters on the vulnerability to disable server hostname verification on SSL/TLS connection and disable server certificate validation on SSL/TLS connection, as well as using a more hash algorithm. strong on crypto bad mac vulnerabilities.

---

Availability

No copy data

Detail Information

Series Title

--

Call Number

2023 PUT s

Publisher

Bogor : Politeknik Siber dan Sandi Negara., 2023

Collation

xvi, 44 halaman

Language

Indonesia

ISBN/ISSN

--

Classification

Rekayasa Keamanan Siber

Content Type

-

Media Type

-

Carrier Type

-

Edition

--

Subject(s)

OWASP Risk Rating Methodology
OWASP Top 10 Desktop Application Security Risks
Security Assessment,SIMKES Khanza
SIMRS
Static Application Security Testing

Specific Detail Info

-

Statement of Responsibility

Putri Rusdwi Kusuma Astuti

Other version/related

File Attachment

Comments

---

You must be logged in to post a comment