Comments on: Are Online Electronic Health Records Secure?

By: Michael

Michael — Thu, 20 Nov 2008 02:58:05 +0000

hipaa data security…

I can’t believe I missed this! I’m going to have to do some more reading me thinks….

By: Grant Peterson, J.D.

Grant Peterson, J.D. — Thu, 18 Sep 2008 23:19:20 +0000

Michael -

Your post is timely…A CNET News Blog reported on September 17th indicated a new study finds electronic health records vulnerable. Posted by Robert Vamosi, The author points out that the results of a fifteen-month study accessing the time to patch software associated with electronic health record (EHR) systems were published today by the eHealth Vulnerability Reporting Program. The program is a collaboration of health care industry organizations, technology companies and security professionals that is attempting to establish best practices within the emerging field of electronic health records in the adoption and reliance of eHealth systems, including electronic medical records (EMR), picture archiving and communication system (PACS), and medical devices. The 39-page report found much room for improvement.

The amount of time between when a eHealth vendor is notified of a vulnerability and when that vulnerability is patched exceeded the time needed to patch in mainstream application software. For example, one medical application in the study remained unpatched after 2,211 days; another was 384 days and counting. By comparison, Brian Krebs of the The Washington Post found that the time to patch for Microsoft Internet Explorer was only 284 days.

No one organization has providence over vulnerabilities in eHealth applications, the report found. Organizations such as the Certification Commission for Healthcare Information Technology (CCHIT) and Healthcare Information Technology Standards Panel (HITSP) offer general security practices and standards, but no assessment of risks associated with reported (or unreported “zero day”) threats.

This report is a major example of the work healthcare has to adequately shore up it’s HIPAA security compliance.

Grant Peterson, J.D. http://www.dgpeterson.com

By: Grant Peterson, J.D.

Grant Peterson, J.D. — Wed, 30 Jul 2008 23:10:52 +0000

Your post, Are Online Electronic Health Records Secure?, is an excellent example of the threats healthcare faces from the outside. Even more disturbing are the lack of strong security enforcement measures internally.

As a HIPAA compliance consultant, I make a point of asking if the client or their IT outsource vendor have conducted a security evaluation (a standard within the HIPAA security regulations) - answers range from, “Didn’t know it was required” to “I’ll check with our IT outsource group”. I find the Evaluation Standard is often overlooked, but also an indispensable provision for assuring a regular checkup of an organizations security status.

HIPAA created the Evaluation Standard 164.308(a)(8), which requires a periodic technical and non-technical evaluation of the healthcare organizations security safeguards to demonstrate and document compliance with their security policy and the security rule requirements. Incidentally, this is a required standard, meaning, “a covered entity must implement the implementation specifications”.

The Evaluation Standard 164.308(a)(8) specifies:

“HIPAA Standard: Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart”.

Aside from the Evaluation standard, HIPAA provides other strong security measures, including -
Security Management process
Assigned Security Responsibility
Workforce Security
Information Access Management
Security Awareness and Training
Security Incident Procedures
Contingency Plan
Business Associate Contracts and Other Arrangements
Facility Access Controls
Workstation Use
Workstation Security
Device and Media Controls
Access Control
Audit Controls
Integrity
Person or Entity Authentication
Transmission Security

A key to answering Are Online Electronic Health Records Secure?, requires an appreciation for the “outside threats, as well as a commitment to “internal” HIPAA security standards.

By: ShaneBRJ

ShaneBRJ — Sat, 21 Jun 2008 19:17:52 +0000

Welllllll. I work for a not to be named Gvt. entity, where all records are electronic. The VA. Where our Computer system, how to put this politely, SUCKS. It runs incredibly slow. AND it has been hacked into… And me, a former Vet, received an official letter, letting me know my VA info had got out… That was impressive. And pissed me off. The system is nation wide, and records are “Suppossedly” accessible in the VISN only, there are national access points. Which makes it very vulnerable.

Case in point. The Power outage in Florida, was caused by a Government Hacker from China.. And the Ohio River Valley Power Blackout was also caused by a Chinese Hacker… SO, what is to stop a Major International power, ie. The PDRC, from hacking into the VA data base. When they are known to have an extensive Cyber Security Division, that’s sole purpose is to obtain Computer information from.. everyone…

And the recent report of a Computer that had been hijacked, and the poor soul who worked at it, was arrested and charged with Child Pornography, and it wsn’t until some smart person realized his computer was running a 4 x the bandwidth it was set up for, that a virus was found… Multiple viruses as a matter of fact: Child porn, Auto clicking, Adult web site… I am forced to use E-records, but I will edit what I enter at times to protect the patient.