Risk
10/12/2010
04:12 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

It's Not (Just) About EMR Software Security

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.For background, take a look at the original post Steady Bleed: State of HealthCare Data Breaches. In short, that post highlighted how health care providers large and small suffered dozens to more than 100 security breaches a month.

Now, whenever you provide figures and data that rub against the bias of some, you are bound to get a degree of push-back. It appears John at the site EHR and HIPAA took exception:

Now, I'll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don't agree with the article's assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it's unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software's fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I'm not saying that breaches don't happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn't take an electronic health record for people to start looking up famous sports stars health information.

John is correct to say that most every breach that occurs with EMRs can - and do - occur on paper-based systems. That's also true of every other type of online security problem. There's nothing new about identity or credit card theft - but the move to electronic records has increased the volume and velocity of these attacks. Blogger Dissent at PHIprivacy.net expressed what makes electronic records different.

According to Privacy Rights Clearinghouse there have been 14,555,641 medical records breached since 2005. Many of them are paper records. Which helps to substantiate my point: the health care industry is lackadaisical when it comes to protecting patient records - and the rush to digitize these records is going to exacerbate the problem.

The challenge is the lack of security and risk management maturity surrounding the entire life-cycle of the data and the IT infrastructure that supports it. So yes: the problems go well beyond the software security of medical record software. The challenges include the policies and how they are enforced at each location to mitigate risk. How is data at-rest encrypted? Are users permitted to take patient data off premise on notebooks or thumb drives? How are software vulnerabilities and secure system configurations managed? How about identity management and access rights? And how are paper and digital records destroyed when they reach the end of their life-cycle?

You get the idea.

Based on my interviews, most health care organizations aren't doing enough in many of these areas. Don't take my word on it, which is based on dozens, perhaps hundreds, of discussions with IT managers. Let's use the findings of Auditor-General John Doyle and his staff (who recently investigated the security of electronic record-keeping at the Vancouver Coastal Health Authority). Here's their report [.pdf], and while it's a Canadian report, the same challenges apply here in the U.S.:

In every key area we examined - from the management and assignment of user access to security controls within the health authority's computing environment - we found serious weaknesses.

Because PARIS users are not granted access on a "need-to-know" basis, sensitive and confidential health care records were accessible to thousands of users who have neither the need nor the right to see the information. Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information, without VCHA even being aware of it. Fundamental controls to prevent or detect unauthorized access to the system were lacking, and monitoring.

And there's another data point that substantiates my point. And it goes well beyond merely the inherent insecurity of software. The problem is systemic throughout the industry in how it secures patient data.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.