Hacking into e-health records is too easy, group says

Hackers can access many e-health records and modify them unbeknownst to the software’s legitimate users, according to a new study by an organization concerned about EHR vulnerabilities.

The E-Health Vulnerability Reporting Program (EHVRP), a nonprofit organization formed in 2006, issued a summary of its findings after a 15-month study assessing the security risks associated with EHR systems.

It found that a low level of hacking skills would suffice to get into a system, retrieve data and make changes, such as altering medication dosages or deleting records.

The good news: The “risk of vulnerability exploitation can be dramatically reduced when vulnerabilities are known and appropriate security controls are in place,” the report’s executive summary states.

For the most part, EHR systems are no more vulnerable to hackers than other kinds of application software used in other industries, the report states. However, medical software users are less aware of vulnerabilities and are spending less on IT security as a portion of their revenues, the study found.

It recommended that EHR software vendors do more testing of their systems’ security and disclose to customers any vulnerabilities they find. Vendors' remediation of vulnerabilities often takes too long, it added.

The study is leading to the formation of another organization that will focus on health information technology application security. “The health care industry is taking steps to be more diligent and coordinated in addressing information security issues,” Daniel Nutkis, a Dallas consultant and an EHVRP board member, said in a statement.

“To that end, a number of leading organizations representing providers, medical device manufacturers, electronic health record vendors, information security vendors, health plans, pharmacies and pharmaceutical manufacturers have begun the formation of an organization to shepherd and guide information security issues facing the US healthcare industry," he added.

"The organization will focus on information security process, practice and policy, while coordinating with the existing national and international standards and certification organizations. It will publicly announce its plans shortly.”

Although the Certification Commission for Healthcare IT tests EHR products for security, the report states that testing was not revealing the vulnerabilities. The EHVRP did penetration testing of seven systems, including five certified by CCHIT.

One of the systems tested was the system used by HealthCare Partners Medical Group in Southern California. Leo Dittemore, the group’s IT security director, said the testing revealed vulnerabilities that the group has remedied with measures such as an intrusion-prevention system.

The study also included a survey of 850 health care provider organizations.
eHealth Vulnerability Reporting Program

About the Author

Nancy Ferris is senior editor of Government Health IT.

Featured

  • Cybersecurity
    malware detection (Alexander Yakimov/Shutterstock.com)

    Microsoft targets copycat influence websites

    Microsoft went to court to take down websites it believes to be part of a foreign intelligence operation targeting conservative think tanks and the U.S. Senate.

  • Cybersecurity
    secure network

    FAA explores shifting its network to FISMA high

    The Federal Aviation Administration is exploring an upgrade to the information security categorization of IT systems as part of air traffic control modernization.

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.