Risk
10/12/2010
04:12 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

It's Not (Just) About EMR Software Security

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.For background, take a look at the original post Steady Bleed: State of HealthCare Data Breaches. In short, that post highlighted how health care providers large and small suffered dozens to more than 100 security breaches a month.

Now, whenever you provide figures and data that rub against the bias of some, you are bound to get a degree of push-back. It appears John at the site EHR and HIPAA took exception:

Now, I'll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don't agree with the article's assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it's unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software's fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I'm not saying that breaches don't happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn't take an electronic health record for people to start looking up famous sports stars health information.

John is correct to say that most every breach that occurs with EMRs can - and do - occur on paper-based systems. That's also true of every other type of online security problem. There's nothing new about identity or credit card theft - but the move to electronic records has increased the volume and velocity of these attacks. Blogger Dissent at PHIprivacy.net expressed what makes electronic records different.

According to Privacy Rights Clearinghouse there have been 14,555,641 medical records breached since 2005. Many of them are paper records. Which helps to substantiate my point: the health care industry is lackadaisical when it comes to protecting patient records - and the rush to digitize these records is going to exacerbate the problem.

The challenge is the lack of security and risk management maturity surrounding the entire life-cycle of the data and the IT infrastructure that supports it. So yes: the problems go well beyond the software security of medical record software. The challenges include the policies and how they are enforced at each location to mitigate risk. How is data at-rest encrypted? Are users permitted to take patient data off premise on notebooks or thumb drives? How are software vulnerabilities and secure system configurations managed? How about identity management and access rights? And how are paper and digital records destroyed when they reach the end of their life-cycle?

You get the idea.

Based on my interviews, most health care organizations aren't doing enough in many of these areas. Don't take my word on it, which is based on dozens, perhaps hundreds, of discussions with IT managers. Let's use the findings of Auditor-General John Doyle and his staff (who recently investigated the security of electronic record-keeping at the Vancouver Coastal Health Authority). Here's their report [.pdf], and while it's a Canadian report, the same challenges apply here in the U.S.:

In every key area we examined - from the management and assignment of user access to security controls within the health authority's computing environment - we found serious weaknesses.

Because PARIS users are not granted access on a "need-to-know" basis, sensitive and confidential health care records were accessible to thousands of users who have neither the need nor the right to see the information. Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information, without VCHA even being aware of it. Fundamental controls to prevent or detect unauthorized access to the system were lacking, and monitoring.

And there's another data point that substantiates my point. And it goes well beyond merely the inherent insecurity of software. The problem is systemic throughout the industry in how it secures patient data.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.