Study finds electronic health records vulnerable

(Credit: CoActiv)

The results of a fifteen-month study accessing the time to patch software associated with electronic health record (EHR) systems were published today by the eHealth Vulnerability Reporting Program. The program is a collaboration of health care industry organizations, technology companies and security professionals that is attempting to establish best practices within the emerging field of electronic health records in the adoption and reliance of eHealth systems, including electronic medical records (EMR), picture archiving and communication system (PACS), and medical devices. The 39-page report found much room for improvement.

It's one thing to have your credit card information compromised--that can be replaced. It's another to have your health history hacked and made public. The report focused mainly on how medical equipment providers currently disclose vulnerabilities to customers, preventing hospitals and doctors from appropriately managing risk.

The amount of time between when a eHealth vendor is notified of a vulnerability and when that vulnerability is patched exceeded the time needed to patch in mainstream application software. For example, one medical application in the study remained unpatched after 2,211 days; another was 384 days and counting. By comparison, Brian Krebs of the The Washington Post found that the time to patch for Microsoft Internet Explorer was only 284 days.

No one organization has providence over vulnerabilities in eHealth applications, the report found. Organizations such as the Certification Commission for Healthcare Information Technology (CCHIT) and Healthcare Information Technology Standards Panel (HITSP) offer general security practices and standards, but no assessment of risks associated with reported (or unreported "zero day") threats.

The eHealth Vulnerability Reporting Program would like to see eHealth vendors collaborate with security software vendors to establish ethical testing and reporting, along with better disclosure, vendor certification and, of course, more public education of the problem.

[Microsoft_Facts]

Health Care's reliance on Microsoft products partly to blame.

Health care knows that without biodiversity a single virus can wipe out an entire species. Yet, health care IT in the US is nearly 100% reliant on Microsoft technologies. Nearly all practice management applications run on MSDE or SQL databases, those that do not still require Microsoft clients. Many insurance web sites are written with non-standard code that only works with IE. Until this changes health care IT systems will always be vulnerable compared to non-MS systems.

[arshadnoor]

The EHVRP report is inaccessible

The 39-page report referenced in the article is inaccessible. How does one get the report? Thanks.

[Robert Vamosi]

The entire site is now inaccessible

Since writing my original blog last September, I see that the organization has password protected its entire site, http://www.ehvrp.org/. There's not much that I can offer except to remove the link from my blog. A quick search in Google failed to reveal any mirror sites or cached copies of the report.

[JayAndrews]

Particularly in the sensitive area of health records, where the industry is undergoing a digital revolution, as the medical food chain looks to create individual electronic health records .There's a lot of ground that needs to covered before the official electronic health record