You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ASVS 7.1.2 Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy
CWE-532: Insertion of Sensitive Information into Log File
To Reproduce
Steps to reproduce the behavior:
Login to Open EMR as admin.
Go to patient -> new/search
Fill last name, first name, DOB, sex and SS with 777-77-7777.
Click on create new patient.
Navigate to Admin → System → Logs and click on Submit to view the logs.
Search 777-77-7777 and it will be in the logs.
Expected behavior
The social security number should not be displayed/masked.
Client configuration
Browser: Chrome
OpenEMR version: v7.0.2
Operating system: Windows
The text was updated successfully, but these errors were encountered:
@bradymiller Doesn't this suggestion of implementing ASVS 7.1.2 contradict some of our required guidelines for ONC audit log records? There's one thing of masking the output and then having ACL's required to access the unmasked output, but from what I see in the PR, this removes the data before it even goes into the audit log.
Note @sathiya06 this is not a file log, rather the logging here is our audit log to track data access, modifications, etc as required by federal law for our ONC certification requirements if I'm remembering this correctly. I don't recall there being a carve-out exception for logging SSN especially if someone were to tamper with that data.
Describe the bug
ASVS 7.1.2 Verify that the application does not log other sensitive data as defined under local privacy laws or relevant security policy
CWE-532: Insertion of Sensitive Information into Log File
To Reproduce
Steps to reproduce the behavior:
Expected behavior
The social security number should not be displayed/masked.
Client configuration
The text was updated successfully, but these errors were encountered: