Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/12/2010
04:12 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

It's Not (Just) About EMR Software Security

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.

We recently discussed a report that provided an overview of the security breach trends at 300 health care providers. Some took the post to be a condemnation of EHR security. That is too narrow of an interpretation. The post was meant to convey the lack of maturity, pervasive in the health care industry, when it comes to security controls.For background, take a look at the original post Steady Bleed: State of HealthCare Data Breaches. In short, that post highlighted how health care providers large and small suffered dozens to more than 100 security breaches a month.

Now, whenever you provide figures and data that rub against the bias of some, you are bound to get a degree of push-back. It appears John at the site EHR and HIPAA took exception:

Now, I'll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don't agree with the article's assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it's unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software's fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I'm not saying that breaches don't happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn't take an electronic health record for people to start looking up famous sports stars health information.

John is correct to say that most every breach that occurs with EMRs can - and do - occur on paper-based systems. That's also true of every other type of online security problem. There's nothing new about identity or credit card theft - but the move to electronic records has increased the volume and velocity of these attacks. Blogger Dissent at PHIprivacy.net expressed what makes electronic records different.

According to Privacy Rights Clearinghouse there have been 14,555,641 medical records breached since 2005. Many of them are paper records. Which helps to substantiate my point: the health care industry is lackadaisical when it comes to protecting patient records - and the rush to digitize these records is going to exacerbate the problem.

The challenge is the lack of security and risk management maturity surrounding the entire life-cycle of the data and the IT infrastructure that supports it. So yes: the problems go well beyond the software security of medical record software. The challenges include the policies and how they are enforced at each location to mitigate risk. How is data at-rest encrypted? Are users permitted to take patient data off premise on notebooks or thumb drives? How are software vulnerabilities and secure system configurations managed? How about identity management and access rights? And how are paper and digital records destroyed when they reach the end of their life-cycle?

You get the idea.

Based on my interviews, most health care organizations aren't doing enough in many of these areas. Don't take my word on it, which is based on dozens, perhaps hundreds, of discussions with IT managers. Let's use the findings of Auditor-General John Doyle and his staff (who recently investigated the security of electronic record-keeping at the Vancouver Coastal Health Authority). Here's their report [.pdf], and while it's a Canadian report, the same challenges apply here in the U.S.:

In every key area we examined - from the management and assignment of user access to security controls within the health authority's computing environment - we found serious weaknesses.

Because PARIS users are not granted access on a "need-to-know" basis, sensitive and confidential health care records were accessible to thousands of users who have neither the need nor the right to see the information. Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information, without VCHA even being aware of it. Fundamental controls to prevent or detect unauthorized access to the system were lacking, and monitoring.

And there's another data point that substantiates my point. And it goes well beyond merely the inherent insecurity of software. The problem is systemic throughout the industry in how it secures patient data.

For my security and technology observations throughout the day, find me on Twitter.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.