Security Breaches Still Problematic for EHRs

By Jennifer Decker Arevalo, MA, contributor

As more healthcare organizations including regional health information networks, hospitals, and private practices adopt electronic health record (EHR) systems, there is a growing concern among providers, patients and industry insiders about data sharing, privacy, security and identify theft.

Newspaper headlines from across the country reflecting these issues prompted the eHealth Vulnerability Reporting Program (EHVRP) to launch a 15-month study in the spring of 2006 to assess EHR systems security breaches; its findings have just been released.

The EHVRP consists of professionals from health care organizations and technology and security companies whose mandate is to establish procedures that ensure eHealth systems have the highest levels of privacy and security.

For this study, the EHVRP board of advisors reviewed current industry practices regarding health care information security, assessed the level of risk related to EHRs, benchmarked health care information security practices against other industries and based on their findings and recommended specific solutions to better protect EHRs.

After surveying more than 850 provider organizations and performing penetration testing of seven eHealth systems, including five ambulatory EHR systems certified by the Certification Commission for Healthcare Information Technology (CCHIT), the EHVRP uncovered numerous security issues. (CCHIT developed certifications for EHRs as a tool to evaluate their applications, such as functionality, interoperability and security capabilities.)

  • EHR vulnerabilities can be exploited to gain control of application or access to data for modification or retrieval.
  • EHR applications have vulnerabilities consistent with other complex applications.
    The time between when an EHR vendor becomes aware of the vulnerability until it is resolved can be lengthy.
  • Security software, also referred to as intrusion prevention systems (IPS), can effectively reduce the time of exposure.
  • EHR vendors are not or are poorly disclosing EHR vulnerabilities to their customers, thus making it difficult for customers to manage the risk.
  • EHR systems are vulnerable to exploitation given existing industry development and disclosure practices.
  • No organization could be identified that has the responsibility, charter or mission to address, or the guidelines in place to reduce security risks and vulnerabilities in eHealth applications. (CCHIT certifications do not address application vulnerabilities, i.e., flaws in the software.)

Various brands of EHRs used by small, medium and large practices were evaluated and tested, using standard tools and techniques, to understand the type and severity of vulnerabilities, as well as the practices and processes implemented by vendors and customers to reduce security issues.


Based on these findings, the EHVRP recommends that EHR vendors, customers and information security consultants collaborate with each other to share vulnerability information, so as to better understand and compensate for security risks.

John Halamka, MD, MS, a board member of EHVRP and chief information officer for CareGroup Health System and its affiliated teaching hospital, Beth Israel Deaconess Medical Center, along with Harvard Medical School in Boston, knows from experience the importance of voluntarily sharing information for the good of all.

In 2002, Beth Israel experienced one of the worst health care information technology disasters ever when its network crashed repeatedly for four days, forcing the hospital to revert to paper records and divert patients from the emergency department for two days and, ultimately, overhaul the entire system.

“I have always shared my experiences, good and bad with the industry. In order to foster such sharing, there needs to be a non-punitive reporting mechanism, so that folks are not penalized for their honesty,” said Dr. Halamka.

Additionally, the EHVRP suggests the creation of new entity, consisting of representatives from eHealth application vendors, health plans, information security vendors, medical device manufacturers, pharmaceutical manufacturers, pharmacies, providers and government to address the security issues they uncovered in the study.

The EHVRP is also encouraging security software and services vendors to develop solutions to address the needs of eHealth systems, such as CCHIT certified EHRs, for both large and small organizations.

“Bear in mind that just because you have addressed a problem today, doesn’t mean a different problem won’t arise tomorrow,” said Dr. Halamka. “Hackers innovate, information technology departments protect, hackers innovate and the cycle continues. Providing security is a journey and we have been on the path to security best practices for many years and will continue to do so.”

“A well-trained and staffed security team is essential to success,” writes Dr. Halamka in his blog. “To keep our organizations secure, I have a full time security officer and a team of security professionals maintaining our firewall rules, intrusion detection/prevention software and our auditing systems.”

“We also use an outside firm, Third Brigade, to do a yearly ‘attack’ on our systems as a true test of our vulnerabilities,” continued Dr. Halamka. “This is high value for us since it enables us to focus our limited resources on those areas of greatest concern. Chose a firm that can address your most significant vulnerabilities.”

For organizations that cannot afford to hire an outside consultant, Dr. Halamka provides a list and details of “The Top Ten Things a CIO Can Do to Enhance Security” on his blog. Educational material and support outreach on information security issues relating to eHealth systems should be created, as well as guidelines and requirements for EHR vendors and customers regarding systems hardening and implementation of compensating controls.

Dr. Halamka believes that every health care staff member, including nurses and nurse managers, should be required to have privacy training. “In our case, it's a review of a 60-slide PowerPoint presentation, followed by a written test. Training, plus enforcement via audit trails reviewed by a privacy officer at our institution, have been very effective for us.”

“Security cannot be an afterthought; it’s a project that must be resourced,” continued Dr. Halamka in his blog. “Compliance with HIPAA is a key motivator to implement good security, but most important is retaining the trust of our patients. We are the stewards of their data and our security systems are the last defense against breaches of confidentiality.”


© 2007. AMN Healthcare, Inc. All Rights Reserved.