04:12 PM
George V. Hulme
George V. Hulme

It's Not (Just) About EMR Software Security

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.For background, take a look at the original post Steady Bleed: State of HealthCare Data Breaches. In short, that post highlighted how health care providers large and small suffered dozens to more than 100 security breaches a month.

Now, whenever you provide figures and data that rub against the bias of some, you are bound to get a degree of push-back. It appears John at the site EHR and HIPAA took exception:

Now, I'll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don't agree with the article's assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it's unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software's fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I'm not saying that breaches don't happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn't take an electronic health record for people to start looking up famous sports stars health information.

John is correct to say that most every breach that occurs with EMRs can - and do - occur on paper-based systems. That's also true of every other type of online security problem. There's nothing new about identity or credit card theft - but the move to electronic records has increased the volume and velocity of these attacks. Blogger Dissent at PHIprivacy.net expressed what makes electronic records different.

According to Privacy Rights Clearinghouse there have been 14,555,641 medical records breached since 2005. Many of them are paper records. Which helps to substantiate my point: the health care industry is lackadaisical when it comes to protecting patient records - and the rush to digitize these records is going to exacerbate the problem.

The challenge is the lack of security and risk management maturity surrounding the entire life-cycle of the data and the IT infrastructure that supports it. So yes: the problems go well beyond the software security of medical record software. The challenges include the policies and how they are enforced at each location to mitigate risk. How is data at-rest encrypted? Are users permitted to take patient data off premise on notebooks or thumb drives? How are software vulnerabilities and secure system configurations managed? How about identity management and access rights? And how are paper and digital records destroyed when they reach the end of their life-cycle?

You get the idea.

Based on my interviews, most health care organizations aren't doing enough in many of these areas. Don't take my word on it, which is based on dozens, perhaps hundreds, of discussions with IT managers. Let's use the findings of Auditor-General John Doyle and his staff (who recently investigated the security of electronic record-keeping at the Vancouver Coastal Health Authority). Here's their report [.pdf], and while it's a Canadian report, the same challenges apply here in the U.S.:

In every key area we examined - from the management and assignment of user access to security controls within the health authority's computing environment - we found serious weaknesses.

Because PARIS users are not granted access on a "need-to-know" basis, sensitive and confidential health care records were accessible to thousands of users who have neither the need nor the right to see the information. Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information, without VCHA even being aware of it. Fundamental controls to prevent or detect unauthorized access to the system were lacking, and monitoring.

And there's another data point that substantiates my point. And it goes well beyond merely the inherent insecurity of software. The problem is systemic throughout the industry in how it secures patient data.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio