Health Care Industry Leaders Convene To Address Security Vulnerabilities In Health Information Systems

Share Article

eHealth Vulnerability Reporting Program launches to standardize vulnerability testing and reporting in eHealth systems.

Leading health care industry executives today announced the formation of the eHealth Vulnerability Reporting Program (http://www.ehvrp.org), an initiative created to enhance the security of eHealth systems. The program will establish a framework by which eHealth system developers, their customers and security companies communicate vulnerabilities and aid in determining the most appropriate mitigation strategy. It will also facilitate the identification and communication of pertinent and time sensitive information regarding security vulnerabilities for the purpose of enabling organizations to better evaluate and manage associated risks.

“While both the health care industry and government recognize the enormous potential electronic health record systems possess, we shouldn’t lose sight of the risks and challenges they introduce,” said Augusta Kairys, Vice President, Provider Relations, Highmark BlueCross BlueShield and board member, eHealth Vulnerability Reporting Program. “Exploitation of security vulnerabilities has the potential to undermine physician and consumer confidence in these systems. Our goal is to establish a mechanism to identify and communicate security vulnerabilities, thereby minimizing their exploitation.”

“eHealth applications, such as electronic health record systems are large, complex, ever-evolving applications that rely on many millions of lines of code. Therefore, it is unrealistic to think electronic health record systems won’t have vulnerabilities,” said Robert Schaich, Vice President, Information Systems and Chief Information Officer, Sierra Health Services, Inc. and board member, eHealth Vulnerability Reporting Program.

While certification mechanisms provide an important industry benchmark and guideline for application functionality, interoperability and security, they vary in the level of detail and frequency of review. Security vulnerabilities are unlikely to be identified through questionnaires and standard reviews. Vulnerabilities may also relate to the operating environment and can be introduced through even the most modest code changes. The program will establish a mechanism to identify and categorize the severity of vulnerabilities, criteria for assessment, format and frequency of reporting, disclosure procedures, and models to implement compensating controls where appropriate.

In addition, the eHVRP will also enable vendors and systems integrators to proactively address the vulnerabilities in their products through testing and remediation mechanisms. “It is important that the varying initiatives that overlap relating to security and privacy are coordinated at some level. We will ensure the eHVRP complements and coordinates with existing regional and national security initiatives,” said Dr. John Halamka, Chief Information Officer, CareGroup Health System and Harvard Medical School and board member, eHealth Vulnerability Reporting Program.

To ensure the program is being guided appropriately a board has been assembled comprised of the following health industry executives:

  •     Paul Connelly, Vice President and Chief Information Security Officer, Hospital Corporation Of America
  •     John Halamka, MD, MS, Chief Information Officer, CareGroup Health System and Harvard Medical School
  •     Augusta Kairys, Vice President, Provider Relations, Highmark BlueCross BlueShield
  •     Robert Mandel, MD, MBA, Vice President, Health Care Services, BlueCross BlueShield of Massachusetts
  •     Daniel S. Nutkis, Principal, DNI
  •     Catherine Peper, Vice President, eMedicine, BlueCross BlueShield of Florida and Vice Chair, BlueCross BlueShield Association Information Security Advisory Group
  •     Robert L. Schaich, Vice President, Information Systems and Chief Information Officer, Sierra Health Services, Inc.

“With the dramatic increase in the adoption of and reliance on eHealth systems, including electronic health records, portals and medical devices, eHealth systems are now considered a cornerstone for overhauling the current healthcare system, managing costs and increasing quality,” said Paul Connelly, Vice President and Chief Information Security Officer, Hospital Corporation Of America. “Considering this heavy investment, it is critical to ensure the integrity, confidentiality and accessibility of these applications and data.”

The eHVRP will consist of the following working groups:

  •     Vulnerability Assessment - will make recommendations on the methodology, measures and tools to be used to assess eHealth system vulnerabilities.
  •     Vulnerability Reporting - will establish and recommend appropriate reporting mechanisms including frequency, formats and content of information.
  •     Communications - will establish and recommend processes for communications including identification of appropriate parties, timing, and roles.
  •     Legal - will establish and recommend appropriate agreements, guidelines and disclosures as well as address legal issues associated with the program.

The eHealth Vulnerability Reporting Program is now soliciting members to staff the working groups and invites interested health IT executives, IT security, and electronic health record system vendors to participate in the working groups. If you are interested in participating on a working group, please send an email to info [at] ehvrp.org indicating your interest.

About eHealth Vulnerability Reporting Program

Founded in May, 2006, the eHealth Vulnerability Reporting Program (eHVRP) is a collaborative of health care industry organizations, technology companies and security professionals. eHVRP’s mandate is to establish approaches and procedures that will help ensure eHealth systems are broadly and rapidly deployed with the highest levels of privacy and security. For more information please visit our website at http://www.ehvrp.org.

For more information, please contact:

General and working group information:

info [at] ehvrp.org

Media contact:

Kathryn Schwab

Schwabco Communications Inc.

613-858-4407

schwab2 [at] sympatico.ca

###

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Kathryn Schwab
Visit website