October 1, 2007 - The board of the eHealth Vulnerability Reporting Program recently reported the results of a fifteen-month study assessing the security risks associated with electronic health record (EHR) systems, evaluating current industry information security practices and assessing level of risk related to EHR systems, finding that commercial EHR systems are vulnerable to exploitation given existing industry development and disclosure practices.
In all cases, evaluated EHR system vulnerabilities could be identified using standard tools and techniques. Subsets of these vulnerabilities were exploited to gain control of the application and access to data to demonstrate the potential consequences. EHR vendors are either not disclosing or inadequately disclosing system vulnerabilities to customers, preventing organizations from appropriately managing risk or implementing compensating controls.
No industry organization could be identified that has established guidelines or practices to appropriately mitigate and manage risks associated with ehealth systems. Also, no industry organization could be identified that has the responsibility, charter or mission to address security vulnerabilities in ehealth systems.
The study was supported by various working groups, penetration testing resources and demonstration sites and was overseen by a board of advisors. The study included a survey of over 850 provider organizations and penetration testing of seven ehealth systems, including five CCHIT certified ambulatory EHR systems. The evaluation and testing was performed on EHR systems targeting small, medium and large practices. It was not intended to be representative of a specific EHR system, but to understand the type and severity of vulnerabilities, and practices and processes implemented by vendors and customers to mitigate security related issues.
For more information: www.ehvrp.org