The warning comes from the eHealth Vulnerability Reporting Program (eHVRP), a collaborative of health care industry practitioners and technology providers. It was formed last year to assess the security of the nation's electronic health records.
"There was not one system we could not penetrate and gain control of data," said eHVRP board member Daniel S. Nutkis. "These systems were not any worse than banking systems. But the banking systems have elaborate security mechanisms sitting on top of them."
The 39-page report from eHVRP blames the network vulnerability of the electronic health record (EHR) systems on not just inadequate oversight by health care providers, but foremost on defects in the health information systems themselves and on the vendors that failed to disclose the defects -- in some cases for years. The lack of disclosure is particularly disturbing in an industry required by law to evaluate and manage risk. If vendors are not disclosing vulnerabilities on systems that hold sensitive data, health organizations cannot manage risk.
An EHR refers to a patient's health record in digital format. EHR information systems coordinate the storage and retrieval of the medical record -- collated sometimes from multiple sources and places.
Security flaws in electronic health record systems are also worrisome because the health care industry is under pressure to convert to paperless records. The federal government has set a goal of universal adoption of electronic health records by 2014. And the health care industry itself, which has been slow to adopt IT, is relying heavily on the promise that these systems offer. The belief is that electronic medial records will bring benefits to the industry and patients, allowing doctors to become more efficient, providing speedier care to patients, lowering costs and so on.
"As such, we must take every measure possible to protect these systems, avoid any disruption in their use and to ensure consumer confidence is maintained," eHVRP board member Dr. Robert Mandel said in a statement. Mandel is vice president of health care services at Blue Cross Blue Shield of Massachusetts.
The eHVRP report is based on a 15-month study of more than 850 provider organizations. Seven e-health systems were tested, including five ambulatory, or outpatient, systems certified by the Certification Commission for Healthcare Information Technology (CCHIT), a private-sector standards body.
CCHIT spokeswoman Sue Reber said the organization had no response to the study at this time.
The evaluation and penetration testing was performed on EHR systems used in small, medium-sized and large practices in order to understand the type and severity of vulnerabilities. The study also analyzed practices and processes implemented by vendors and health centers to mitigate the security issues, the authors said. The vendors were not named.
Among the findings: EHR vendors are either not disclosing or inadequately disclosing system vulnerabilities to customers, preventing organizations from appropriately managing risk associated with e-health systems. One medical application in the study was vulnerable for 2,211 days. Moreover, no existing industry organization has responsibility, or charter or mission, for addressing security vulnerabilities in e-health systems.
The group anticipated finding vulnerabilities, said Nutkis, a former director of Ernst & Young LLP's national emerging technology practice and a longtime consultant in major health care initiatives. What was unusual was how quickly the testers could hack into the systems. Indeed, the eHVRP struggled with how to disclose the findings, not wanting to expose the industry to unnecessary risk or disrupt the adoption rates of EHR systems.
"The best thing for the industry is to fix the problem," Nutkis said, adding that a number of professional groups are in the works to tackle not just EHRs but also security issues related to medical devices and laboratories.
No one expects the fix to be easy. Perimeter defenses against hacking become irrelevant when many of the applications are Web-facing and are touched by many employees. Currently, there is no development or testing protocol established. And the industry has "some unique dichotomies," Nutkis said.
"Although you've got Johnson & Johnson and a UnitedHeathcares of the industry, you also have a ton of two-doc practices," Nutkis said. "And they're all part of the same thing we call one industry, and although the complexity of the environment is the same, the level of sophistication of the organizations is different."
Bob Pappagianopoulos, chief information security officer and corporate director of technical services and operations at Partners Healthcare System Inc. in Boston, said he agreed with many of the comments in the report.
"Health care systems must do all that we can to help protect patient data. This starts from where the data is stored to how it is accessed," Pappagianopoulos wrote in an email. His organization uses a 'homegrown" electronic medical system that is scrutinized continually for security issues and improvements, he said.
---
EHVRP recommendations
- Establish better collaboration between customers, EHR vendors and information security vendors to facilitate exchange of vulnerability information.
- Create educational material and support outreach on information security issues relating to e-health systems.
- Create guidelines and requirements for EHR vendors and customers regarding systems hardening and implementation of compensating controls.
- Encourage and facilitate information security software and services vendors to develop products to address the needs of common e-health systems.
- Establish an entity to carry forward recommendations noted in the study.
Autor(en)/Author(s): Linda Tucci
Quelle/Source: SearchCIO, 19.09.2007
