eHVRP Study Finds Healthcare Industry Must Do More to Protect Electronic Health Record Systems

Share Article

Industry leaders join forces to address information security concerns.

We volunteered to be a demonstration site to aid us in gaining a better understanding of the methods used by people trying to gain unauthorized access to our systems and data. We wanted to participate with other EHR users and vendors to share information, define processes to identify vulnerabilities, and mitigate methods attackers could use to exploit them

The board of the eHealth Vulnerability Reporting Program (eHVRP.org), today made public the results of a fifteen-month study assessing the security risks associated with electronic health record (EHR) systems. The study evaluated current industry information security practices, assessed level of risk related to EHR systems, benchmarked healthcare information security practices against other industries, and produced a set of recommendations relating to activities beneficial to protecting information systems in the healthcare industry.

The increasing adoption of ehealth systems including EHRs is fundamental to the transformation of the healthcare system. The information created, accessed and stored in these systems, and their ability to integrate with health information networks and data exchanges, introduces complex security issues. This, coupled with the rising number of information security breaches, has raised concerns regarding their vulnerability.

“The industry is investing in, and relying heavily on, the promise that these systems offer through improvements in quality and efficiency of care. As such, we must take every measure possible to protect these systems, avoid any disruption in their use, and to ensure consumer confidence is maintained,” said Dr. Robert Mandel, Vice President, Health Care Services, Blue Cross Blue Shield of Massachusetts and eHVRP board member.

Although existing application certifications are an important tool to aid in evaluating applications, including their functionality, interoperability and security capabilities, these certifications do not address application hardening or known vulnerability reporting.

"The utilization of health information networks allows entities both large and small to access enormous amounts of patients’ medical information in electronic form. Patients expect their information to be protected, therefore, data sharing is only possible when patients trust that their privacy will be protected," said Dr. John Halamka, Chief Information Officer, CareGroup Health System and Harvard Medical School, chair of the Healthcare Information Technology Standards Panel (HITSP) and eHVRP board member.

“It is important to recognize that information security vulnerabilities are mostly defects in the application or underlying environment and a certain number are a fact of life for all complex information systems,” said Paul Connelly, Vice President and Chief Information Security Officer, Hospital Corporation of America and eHVRP board member. “However, the key is to ensure organizations are expeditiously made aware of the vulnerabilities and have policies, practices and technology to assess and mitigate these risks. As a large healthcare organization we have resources to address these issues that may not be available to many smaller organizations. As an industry, we need to work with our vendor partners to establish consistent expectations regarding security.”

Synopsis of Study Findings and Results

The study was supported by various working groups, penetration testing resources and demonstration sites, and was overseen by a board of advisors. The study included a survey of over 850 provider organizations, and penetration testing of seven ehealth systems, including five CCHIT certified ambulatory EHR systems. The evaluation and testing was performed on EHR systems targeting small, medium and large practices. It was not intended to be representative of a specific EHR system, but to understand the type and severity of vulnerabilities, and practices and processes implemented by vendors and customers to mitigate security related issues.

The overall finding from the study concludes commercial EHR systems are vulnerable to exploitation given existing industry development and disclosure practices. A summary of the findings is as follows:

  • In all cases, evaluated EHR system vulnerabilities could be identified using standard tools and techniques. Subsets of these vulnerabilities were exploited to gain control of the application and access to data to demonstrate the potential consequences.
  • EHR vendors are either not disclosing or inadequately disclosing system vulnerabilities to customers, preventing organizations from appropriately managing risk or implementing compensating controls.
  • No industry organization could be identified that has established guidelines or practices to appropriately mitigate and manage risks associated with ehealth systems.
  • No industry organization could be identified that has the responsibility, charter or mission to address security vulnerabilities in ehealth systems.

Given these findings, a set of recommendations were developed and are summarized as follows:

  • To establish better collaboration between customers, EHR vendors and information security vendors to facilitate exchange of vulnerability information.
  • To create educational material and support outreach on information security issues relating to ehealth systems.
  • To create guidelines and requirements for EHR vendors and customers regarding systems hardening and implementation of compensating controls.
  • To encourage and facilitate information security software and services vendors to develop solutions to address the needs of common ehealth systems (such as CCHIT certified EHRs) and solutions targeted at smaller organizations.
  • To establish an entity to carry forward recommendations noted in the study.

“We volunteered to be a demonstration site to aid us in gaining a better understanding of the methods used by people trying to gain unauthorized access to our systems and data. We wanted to participate with other EHR users and vendors to share information, define processes to identify vulnerabilities, and mitigate methods attackers could use to exploit them,” said Leo Dittemore, Director, IS Security, HealthCare Partners Medical Group. “We have since implemented compensating controls such as a host intrusion prevention system, which has addressed issues with no impact on operations or usability. We look forward to continuing this partnership in supporting our patients, providers, and partners.”

"As the healthcare industry strives to rapidly externalize and make health information transparent, it must also take appropriate measures to protect private and confidential information from inappropriate disclosure,” said Catherine Peper, CISSP, CISM and VP of Health Information Technology at Blue Cross and Blue Shield of Florida and eHVRP board member. “We must work together to prevent external parties, or misinformed or misguided internal ones, from exploiting vulnerabilities in electronic medical record applications. It is the board’s hope that the industry receives this message and responds appropriately.”

"The healthcare industry is taking steps to be more diligent and coordinated in addressing information security issues,” said Daniel Nutkis, Principal, DNI and eHVRP board member. “To that end, a number of leading organizations representing providers, medical device manufacturers, electronic health record vendors, information security vendors, health plans, pharmacies and pharmaceutical manufacturers have begun the formation of an organization to shepherd and guide information security issues facing the US healthcare industry. The organization will focus on information security process, practice and policy, while coordinating with the existing national and international standards and certification organizations. It will publicly announce its plans shortly.”

"The next-step security effort should produce tangible, practical guidance that maintains the quality and continuity of healthcare delivery," said Dr. Nick Mankovich, Director Product Security & Privacy, Philips Medical Systems. “As a security and privacy leader working with medical devices, I am pleased to join providers, IT vendors, health plan leaders and others in realizing security that meets the needs of 21st century healthcare and that we and our families can trust. The challenge is to balance the requirements of the diverse players and produce real improvement."

An executive briefing document summarizing the report including findings and recommendations is available at http://www.ehvrp.org/report.html. Additionally, the full report will be made available shortly and will also be available at http://www.ehvrp.org/report.html.

About eHealth Vulnerability Reporting Program
Founded in May, 2006, the eHealth Vulnerability Reporting Program (eHVRP) is a collaborative of health care industry organizations, technology companies and security professionals. eHVRP’s mandate is to establish approaches and procedures that will help ensure eHealth systems are broadly and rapidly deployed with the highest levels of privacy and security. For more information please visit our website at http://www.ehvrp.org.

For more information, please contact:

Media contact:
Kathryn Schwab
pr @ ehvrp.org
613-858-4407

# # #

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Kathryn Schwab

613-858-4407
Email >
Visit website