Hacking into e-health records is too easy, group says

Hacking into e-health records is too easy, group says
Hacking into e-health records is too easy, group says 

By Nancy Ferris
Sept. 17, 2007

Hackers can access many e-health records and modify them unbeknownst to 
the softwares legitimate users, according to a new study by an 
organization concerned about EHR vulnerabilities.

The E-Health Vulnerability Reporting Program (EHVRP) [1], a nonprofit 
organization formed in 2006, issued a summary of its findings after a 
15-month study assessing the security risks associated with EHR systems.

It found that a low level of hacking skills would suffice to get into a 
system, retrieve data and make changes, such as altering medication 
dosages or deleting records.

The good news: The risk of vulnerability exploitation can be 
dramatically reduced when vulnerabilities are known and appropriate 
security controls are in place, the reports executive summary states.

For the most part, EHR systems are no more vulnerable to hackers than 
other kinds of application software used in other industries, the report 
states. However, medical software users are less aware of 
vulnerabilities and are spending less on IT security as a portion of 
their revenues, the study found.

It recommended that EHR software vendors do more testing of their 
systems security and disclose to customers any vulnerabilities they 
find. Vendors' remediation of vulnerabilities often takes too long, it 

The study is leading to the formation of another organization that will 
focus on health information technology application security. The health 
care industry is taking steps to be more diligent and coordinated in 
addressing information security issues, Daniel Nutkis, a Dallas 
consultant and an EHVRP board member, said in a statement.

To that end, a number of leading organizations representing providers, 
medical device manufacturers, electronic health record vendors, 
information security vendors, health plans, pharmacies and 
pharmaceutical manufacturers have begun the formation of an organization 
to shepherd and guide information security issues facing the US 
healthcare industry," he added.

"The organization will focus on information security process, practice 
and policy, while coordinating with the existing national and 
international standards and certification organizations. It will 
publicly announce its plans shortly.

Although the Certification Commission for Healthcare IT tests EHR 
products for security, the report states that testing was not revealing 
the vulnerabilities. The EHVRP did penetration testing of seven systems, 
including five certified by CCHIT.

One of the systems tested was the system used by HealthCare Partners 
Medical Group in Southern California. Leo Dittemore, the groups IT 
security director, said the testing revealed vulnerabilities that the 
group has remedied with measures such as an intrusion-prevention system.

The study also included a survey of 850 health care provider 


CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 

Site design & layout copyright © 1986-2014 CodeGods