Electronic medical records at risk of being hacked, report warns

By Linda Tucci, Senior News Writer 19 Sep 2007 | SearchCIO.com

IT news and analysis for CIOs Digg This!     StumbleUpon     Del.icio.us

The best thing for the industry is to fix the problem. Daniel S. Nutkis board member, eHealth Vulnerability Reporting Program

The warning comes from the eHealth Vulnerability Reporting Program (eHVRP), a collaborative of health care industry practitioners and technology providers. It was formed last year to assess the security of the nation's electronic health records.

"There was not one system we could not penetrate and gain control of data," said eHVRP board member Daniel S. Nutkis. "These systems were not any worse than banking systems. But the banking systems have elaborate security mechanisms sitting on top of them."

The 39-page report from eHVRP blames the network vulnerability of the electronic health record (EHR) systems on not just inadequate oversight by health care providers, but foremost on defects in the health information systems themselves and on the vendors that failed to disclose the defects -- in some cases for years. The lack of disclosure is particularly disturbing in an industry required by law to evaluate and manage risk. If vendors are not disclosing vulnerabilities on systems that hold sensitive data, health organizations cannot manage risk.

An EHR refers to a patient's health record in digital format. EHR information systems coordinate the storage and retrieval of the medical record -- collated sometimes from multiple sources and places.

Security flaws in electronic health record systems are also worrisome because the health care industry is under pressure to convert to paperless records. The federal government has set a goal of universal adoption of electronic health records by 2014. And the health care industry itself, which has been slow to adopt IT, is relying heavily on the promise that these systems offer. The belief is that electronic medial records will bring benefits to the industry and patients, allowing doctors to become more efficient, providing speedier care to patients, lowering costs and so on.

"As such, we must take every measure possible to protect these systems, avoid any disruption in their use and to ensure consumer confidence is maintained," eHVRP board member Dr. Robert Mandel said in a statement. Mandel is vice president of health care services at Blue Cross Blue Shield of Massachusetts.

The eHVRP report is based on a 15-month study of more than 850 provider organizations. Seven e-health systems were tested, including five ambulatory, or outpatient, systems certified by the Certification Commission for Healthcare Information Technology (CCHIT), a private-sector standards body.

EHVRP recommendations Establish better collaboration between customers, EHR vendors and information security vendors to facilitate exchange of vulnerability information. Create educational material and support outreach on information security issues relating to e-health systems. Create guidelines and requirements for EHR vendors and customers regarding systems hardening and implementation of compensating controls. Encourage and facilitate information security software and services vendors to develop products to address the needs of common e-health systems. Establish an entity to carry forward recommendations noted in the study.

CCHIT spokeswoman Sue Reber said the organization had no response to the study at this time.

The evaluation and penetration testing was performed on EHR systems used in small, medium-sized and large practices in order to understand the type and severity of vulnerabilities. The study also analyzed practices and processes implemented by vendors and health centers to mitigate the security issues, the authors said. The vendors were not named.

Among the findings: EHR vendors are either not disclosing or inadequately disclosing system vulnerabilities to customers, preventing organizations from appropriately managing risk associated with e-health systems. One medical application in the study was vulnerable for 2,211 days. Moreover, no existing industry organization has responsibility, or charter or mission, for addressing security vulnerabilities in e-health systems.

The group anticipated finding vulnerabilities, said Nutkis, a former director of Ernst & Young LLP's national emerging technology practice and a longtime consultant in major health care initiatives. What was unusual was how quickly the testers could hack into the systems. Indeed, the eHVRP struggled with how to disclose the findings, not wanting to expose the industry to unnecessary risk or disrupt the adoption rates of EHR systems.

"The best thing for the industry is to fix the problem," Nutkis said, adding that a number of professional groups are in the works to tackle not just EHRs but also security issues related to medical devices and laboratories.

No one expects the fix to be easy. Perimeter defenses against hacking become irrelevant when many of the applications are Web-facing and are touched by many employees. Currently, there is no development or testing protocol established. And the industry has "some unique dichotomies," Nutkis said.

More on IT and health care User spends over $60k on storage security for HIPAA Virtualization eases health care company's server sprawl

"Although you've got Johnson & Johnson and a UnitedHeathcares of the industry, you also have a ton of two-doc practices," Nutkis said. "And they're all part of the same thing we call one industry, and although the complexity of the environment is the same, the level of sophistication of the organizations is different."

Bob Pappagianopoulos, chief information security officer and corporate director of technical services and operations at Partners Healthcare System Inc. in Boston, said he agreed with many of the comments in the report.

"Health care systems must do all that we can to help protect patient data. This starts from where the data is stored to how it is accessed," Pappagianopoulos wrote in an email. His organization uses a 'homegrown" electronic medical system that is scrutinized continually for security issues and improvements, he said.

Tags: Execution: Dodge risks in practice,  Enterprise data security and privacy,  Enterprise information security management,  Health care industry,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Execution: Dodge risks in practice IT risk management in the enterprise Unearthing the potential paybacks of enterprise risk management Project management needs to think smaller, faster Disaster planning: Bank builds data center for the long haul PCI compliance a good start, but not enough Malware real threat to holiday shopping on company time Fewer security breaches blamed on human error PCI compliance deadlines have retailers scrambling CIOs overconfident about protecting intellectual property Managing mobile computing policies Enterprise data security and privacy GPS devices, geolocation data create privacy, security risks Health care security, HIPAA compliance on deck for CIOs in Obama era Network access control: Security advice for enterprise CIOs Data protection in the cloud: What's good enough? Healthcare IT standards still not clear Avoiding gotchas of security tools and global data privacy laws CIO turns to identity and access management to solve business problem Data protection quiz for enterprise CIOs Seven tips to improving enterprise data protection Employee layoffs pose security risk if systems access not disabled Enterprise information security management Talking swine flu and Conficker with the CIO of the CDC Network access control: Security advice for enterprise CIOs Evaluating network access control: NAC policy enforcement matters Enterprise risk management quiz for CIOs Network access control now addresses multiple needs Enterprise risk management solutions for CIOs Gartner: Future IT security jobs to focus on risk management strategy Avoiding gotchas of security tools and global data privacy laws Security standards to help manage compliance for those federal funds Information security and IT governance guides for CIOs

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary