eHealth Vulnerability Reporting Program study findings

The board of the eHealth Vulnerability Reporting Program (eHVRP.org), today made public the results of a fifteen-month study assessing the security risks associated with electronic health record (EHR) systems. The study evaluated current industry information security practices, assessed level of risk related to EHR systems, benchmarked healthcare information security practices against other industries, and produced a set of recommendations relating to activities beneficial to protecting information systems in the healthcare industry.

The increasing adoption of ehealth systems including EHRs is fundamental to the transformation of the healthcare system. The information created, accessed and stored in these systems, and their ability to integrate with health information networks and data exchanges, introduces complex security issues. This, coupled with the rising number of information security breaches, has raised concerns regarding their vulnerability.

The study was supported by various working groups, penetration testing resources and demonstration sites, and was overseen by a board of advisors. The study included a survey of over 850 provider organizations, and penetration testing of seven ehealth systems, including five CCHIT certified ambulatory EHR systems. The evaluation and testing was performed on EHR systems targeting small, medium and large practices. It was not intended to be representative of a specific EHR system, but to understand the type and severity of vulnerabilities, and practices and processes implemented by vendors and customers to mitigate security related issues.

The overall finding from the study concludes commercial EHR systems are vulnerable to exploitation given existing industry development and disclosure practices. A summary of the findings is as follows:

” In all cases, evaluated EHR system vulnerabilities could be identified using standard tools and techniques.  Subsets of these vulnerabilities were exploited to gain control of the application and access to data to demonstrate the potential consequences.

” EHR vendors are either not disclosing or inadequately disclosing system vulnerabilities to customers, preventing organizations from appropriately managing risk or implementing compensating controls.

” No industry organization could be identified that has established guidelines or practices to appropriately mitigate and manage risks associated with ehealth systems.

” No industry organization could be identified that has the responsibility, charter or mission to address security vulnerabilities in ehealth systems.

Given these findings, a set of recommendations were developed and are summarized as follows:

“To establish better collaboration between customers, EHR vendors and information security vendors to facilitate exchange of vulnerability information.

“To create educational material and support outreach on information security issues relating to ehealth systems.

“To create guidelines and requirements for EHR vendors and customers regarding systems hardening and implementation of compensating controls.

“To encourage and facilitate information security software and services vendors to develop solutions to address the needs of common ehealth systems (such as CCHIT certified EHRs) and solutions targeted at smaller organizations.