Commercial electronic health record systems are vulnerable to exploitation given existing industry development and disclosure practices, according to a study by the eHealth Vulnerability Reporting Program.
Founded in May, 2006, the eHealth Vulnerability Reporting Program (eHVRP) is a collaborative of healthcare industry organisations, technology companies and security professionals.
eHVRP’s mandate is to establish approaches and procedures that will help ensure e-health systems are broadly and rapidly deployed with the highest levels of privacy and security.
However, following penetration testing of seven unknown e-health systems, the board reported that system vulnerabilities could be identified using standard tools and techniques.
Dr Robert Mandel, an eHVRP board member said: “The industry is investing in, and relying heavily on, the promise that these systems offer through improvements in quality and efficiency of care.
“As such, we must take every measure possible to protect these systems, avoid any disruption in their use, and to ensure consumer confidence is maintained.”
The 15 month investigation also suggested that EHR vendors are either not disclosing or inadequately disclosing system vulnerabilities to customers, preventing organisations from appropriately managing risk or implementing compensating controls.
No industry organisation could be identified that has established guidelines or practices to appropriately mitigate and manage risks associated with e-health systems and no industry organisation could be identified that has the responsibility, charter or mission to address security vulnerabilities in eHealth systems.
Paul Connelly, a eHVRP board member said: “The key is to ensure organisations are expeditiously made aware of the vulnerabilities and have policies, practices and technology to assess and mitigate these risks. As an industry, we need to work with our vendor partners to establish consistent expectations regarding security.
“It is important to recognise that information security vulnerabilities are mostly defects in the application or underlying environment and a certain number are a fact of life for all complex information systems.”
Based on the findings of the report, the eHVRP have developed a set of recommendations for healthcare organisations and vendors. They are advised to:
• Establish better collaboration between customers, EHR vendors and information security vendors to facilitate exchange of vulnerability information.
• Create educational material and support outreach on information security issues relating to e-health systems.
• Create guidelines and requirements for EHR vendors and customers regarding systems hardening and implementation of compensating controls.
• Encourage and facilitate information security software and services vendors to develop solutions to address the needs of common e-health systems (such as CCHIT certified EHRs) and solutions targeted at smaller organisations.
• Establish an entity to carry forward recommendations noted in the study.
Catherine Peper, a eHVRP board member said: “As the healthcare industry strives to rapidly externalise and make health information transparent, it must also take appropriate measures to protect private and confidential information from inappropriate disclosure.
“We must work together to prevent external parties, or misinformed or misguided internal ones, from exploiting vulnerabilities in electronic medical record applications. It is the board’s hope that the industry receives this message and responds appropriately.”
Vendors such as Philips and IS Security have welcomed the guidance. IS Security’s healthcare director, Leo Dittemore, said: “We volunteered to be a demonstration site to aid us in gaining a better understanding of the methods used by people trying to gain unauthorised access to our systems and data.
“We wanted to participate with other EHR users and vendors to share information, define processes to identify vulnerabilities, and mitigate methods attackers could use to exploit them.”
Philips Medical Systems director of product security and privacy, Dr Nick Mankovich, said: “The next-step security effort should produce tangible, practical guidance that maintains the quality and continuity of healthcare delivery. As a security and privacy leader working with medical devices, I am pleased to join providers, IT vendors, health plan leaders and others in realizing security that meets the needs of 21st century healthcare and that we and our families can trust.
“The challenge is to balance the requirements of the diverse players and produce real improvement."