Good Information Articles

eHVRP Study Finds Healthcare Industry Must Do More to Protect Electronic Health Record Systems

Dallas, TX (PRWEB) September 17, 2007 -- The board of the eHealth Vulnerability Reporting Program (eHVRP.org (www.ehvrp.org)), today made public the results of a fifteen-month study assessing the security risks associated with electronic health record (EHR) systems (www.ehvrp.org/findings.html). The study evaluated current industry information security practices, assessed level of risk related to EHR systems, benchmarked healthcare information security practices against other industries, and produced a set of recommendations relating to activities beneficial to protecting information systems in the healthcare industry.

The increasing adoption of ehealth systems including EHRs is fundamental to the transformation of the healthcare system. The information created, accessed and stored in these systems, and their ability to integrate with health information networks and data exchanges, introduces complex security issues. This, coupled with the rising number of information security breaches, has raised concerns regarding their vulnerability.

?The industry is investing in, and relying heavily on, the promise that these systems offer through improvements in quality and efficiency of care. As such, we must take every measure possible to protect these systems, avoid any disruption in their use, and to ensure consumer confidence is maintained,? said Dr. Robert Mandel, Vice President, Health Care Services, Blue Cross Blue Shield of Massachusetts and eHVRP board member.

Although existing application certifications are an important tool to aid in evaluating applications, including their functionality, interoperability and security capabilities, these certifications do not address application hardening or known vulnerability reporting.

"The utilization of health information networks allows entities both large and small to access enormous amounts of patients? medical information in electronic form. Patients expect their information to be protected, therefore, data sharing is only possible when patients trust that their privacy will be protected," said Dr. John Halamka, Chief Information Officer, CareGroup Health System and Harvard Medical School, chair of the Healthcare Information Technology Standards Panel (HITSP) and eHVRP board member.

?It is important to recognize that information security vulnerabilities are mostly defects in the application or underlying environment and a certain number are a fact of life for all complex information systems,? said Paul Connelly, Vice President and Chief Information Security Officer, Hospital Corporation of America and eHVRP board member. ?However, the key is to ensure organizations are expeditiously made aware of the vulnerabilities and have policies, practices and technology to assess and mitigate these risks. As a large healthcare organization we have resources to address these issues that may not be available to many smaller organizations. As an industry, we need to work with our vendor partners to establish consistent expectations regarding security.?

Synopsis of Study Findings and Results

The study was supported by various working groups, penetration testing resources and demonstration sites, and was overseen by a board of advisors. The study included a survey of over 850 provider organizations, and penetration testing of seven ehealth systems, including five CCHIT certified ambulatory EHR systems. The evaluation and testing was performed on EHR systems targeting small, medium and large practices. It was not intended to be representative of a specific EHR system, but to understand the type and severity of vulnerabilities, and practices and processes implemented by vendors and customers to mitigate security related issues.

The overall finding from the study concludes commercial EHR systems are vulnerable to exploitation given existing industry development and disclosure practices. A summary of the findings is as follows:

? In all cases, evaluated EHR system vulnerabilities could be identified using standard tools and techniques. Subsets of these vulnerabilities were exploited to gain control of the application and access to data to demonstrate the potential consequences.

? EHR vendors are either not disclosing or inadequately disclosing system vulnerabilities to customers, preventing organizations from appropriately managing risk or implementing compensating controls.

? No industry organization could be identified that has established guidelines or practices to appropriately mitigate and manage risks associated with ehealth systems.

? No industry organization could be identified that has the responsibility, charter or mission to address security vulnerabilities in ehealth systems.

Given these findings, a set of recommendations were developed and are summarized as follows:

? To establish better collaboration between customers, EHR vendors and information security vendors to facilitate exchange of vulnerability information.

? To create educational material and support outreach on information security issues relating to ehealth systems.

? To create guidelines and requirements for EHR vendors and customers regarding systems hardening and implementation of compensating controls.

? To encourage and facilitate information security software and services vendors to develop solutions to address the needs of common ehealth systems (such as CCHIT certified EHRs) and solutions targeted at smaller organizations.

? To establish an entity to carry forward recommendations noted in the study.

?We volunteered to be a demonstration site to aid us in gaining a better understanding of the methods used by people trying to gain unauthorized access to our systems and data. We wanted to participate with other EHR users and vendors to share information, define processes to identify vulnerabilities, and mitigate methods attackers could use to exploit them,? said Leo Dittemore, Director, IS Security, HealthCare Partners Medical Group. ?We have since implemented compensating controls such as a host intrusion prevention system, which has addressed issues with no impact on operations or usability. We look forward to continuing this partnership in supporting our patients, providers, and partners.?

"As the healthcare industry strives to rapidly externalize and make health information transparent, it must also take appropriate measures to protect private and confidential information from inappropriate disclosure,? said Catherine Peper, CISSP, CISM and VP of Health Information Technology at Blue Cross and Blue Shield of Florida and eHVRP board member. ?We must work together to prevent external parties, or misinformed or misguided internal ones, from exploiting vulnerabilities in electronic medical record applications. It is the board?s hope that the industry receives this message and responds appropriately.?

"The healthcare industry is taking steps to be more diligent and coordinated in addressing information security issues,? said Daniel Nutkis, Principal, DNI and eHVRP board member. ?To that end, a number of leading organizations representing providers, medical device manufacturers, electronic health record vendors, information security vendors, health plans, pharmacies and pharmaceutical manufacturers have begun the formation of an organization to shepherd and guide information security issues facing the US healthcare industry. The organization will focus on information security process, practice and policy, while coordinating with the existing national and international standards and certification organizations. It will publicly announce its plans shortly.?

"The next-step security effort should produce tangible, practical guidance that maintains the quality and continuity of healthcare delivery," said Dr. Nick Mankovich, Director Product Security & Privacy, Philips Medical Systems. ?As a security and privacy leader working with medical devices, I am pleased to join providers, IT vendors, health plan leaders and others in realizing security that meets the needs of 21st century healthcare and that we and our families can trust. The challenge is to balance the requirements of the diverse players and produce real improvement."

An executive briefing document summarizing the report including findings and recommendations is available at www.ehvrp.org/report.html. Additionally, the full report will be made available shortly and will also be available at www.ehvrp.org/report.html.

About eHealth Vulnerability Reporting Program

Founded in May, 2006, the eHealth Vulnerability Reporting Program (www.ehvrp.org) (eHVRP) is a collaborative of health care industry organizations, technology companies and security professionals. eHVRP?s mandate is to establish approaches and procedures that will help ensure eHealth systems are broadly and rapidly deployed with the highest levels of privacy and security. For more information please visit our website at www.ehvrp.org.

For more information, please contact:

Media contact:

Kathryn Schwab

pr @ ehvrp.org

613-858-4407

# # #

Other Article Sites

findabook.com  moneycd.info  a-mortgage.info   about-lemon-laws.info  aboutstudentloans.info
all-about-publishing.info  auctions-articles.info  bestcollege-university.com  bestispconnection.com
biblefolder.com  blogger-website.com  books-used.info  brokers-guide.info  buywindows.info  cable-dsl.info
career-miner.com  carpel-tunnel.info  cashinaflash.info  cashloanreviews.info  casinobell.com  chat-house.info
clearmycredit.info  collegeloantips.info  crones.info  depression-articles.info   dirnic.net  dishguides.info
divers-below.com  expodog.info   financewizz.com  fire-insurance.info  getgood.info  handleit.net   it-idea.info
health-supplies.info  hosting-right.com  insidealert.com  insurance-facts.info  jobs-employment.info
justgood.info  lookgold.net   lowcost-travel.info  money-source.info  myhostzone.info  numisblog.com
peoplesearchfinder.info  pr-articles.info  realeas.com   refinancing-guides.info  spyware-remove.info
telelot.info  the-law.info   toppaid.info  travel-deals.info  travelcorrect.com  wedding-guide-site.com
your-blog.info  your-credit.info

MORE ARTICLES:

Work From Home - Online Resource Center for Home Based Online Jobs and Internet Based Business
Welcome to Work from Home?s ?an online guide and resource website to help you Start and grow your Home based Job and Business. Please note that we are only offering information on Work from Home Jobs and Business opportunities. We are not offering you a job or a business tie-up. Please read through the website as you will find valuable information and resources to start and grow your home based business. www.homebasedonlinejobs.com

Low-Income Families in Portland Will Soon Have Free Broadband Internet at Home
Cricket Will Provide Free High-Speed Wireless Internet to 100 Portland Families in Pilot Program with One Economy

Family Travel at its Finest - European Villa Rentals Perfect for the Whole Family
Parents can easily find family friendly villa rentals in Europe with Rentvillas.com.

Internet Home Based Business : Legitimate Work at Home Jobs Opportunities and Advantages
There are many advantages involved in choosing an internet home based business as your primary or secondary source of income Use these benefits to find a legitimate work at home jobs that suits your needs and desires

The Best Internet Connection For A Top Home Internet Business
When it comes to working at your home business one of the most important things you will need is internet access Having a fast and relatively error free Internet connection is imperative for a person to be successful in working at home

New Home Based Travel Businesses and Training Available for Retirees and Work-At-Home Parents
Affordable training is now being offered for those wishing to set up their own home based travel businesses. Program offers participants everything they need to get started quickly and affordably in this exciting market.

Families Mourning Children Travel to Nashville for July Compassionate Friends National Conference
The Compassionate Friends self-help support organization for families going through the natural grieving process following the death of a child is hosting its 31st national conference July 18-20 in Nashville, Tennessee. More than 1300 parents, siblings, and grandparents, as well as professionals who provide support, are expected to attend the conference. Highlights include well-known speakers, more than 100 workshops covering most aspects of grief following the death, a pre-conference Professional Outreach Day, and the Walk to Remember Sunday July 20 at 8 a.m. This conference is annually the largest in the United States aimed specifically for those left behind following the death of a child.

SoGoNow.com -- Home of the Best Travel Article Written for the Internet in 2006
SoGoNow.com travel magazine announced that frequent contributor Linda Fasteson has won First Prize for the Best Travel Article Written for the Internet from The North American Travel Journalist Association.

Children's Home Society & Family Services Receives Reaccreditation to Once Again Facilitate Adoptions in Russia
Children's Home Society & Family Services, a Minnesota-based international adoption service provider, announced today it has been re-accredited by the Ministry of Education and Science of the Russian Federation to facilitate adoptions in that country.

Online Magazine is Home to the Best Travel Writing on the Internet
For the second year in a row, SoGoNow.com is the home to the best travel article written for the internet as judged by the North American Travel Journalist's Association.

Home Internet Business Opportunities: Reinvent Your Family
Think about your daily job, daily responsibilities, time spent at meetings, driving your kids to this activity and that sporting event, meal planning and preparation, house cleaning, on and on with our grossly busy lives, and what time is left for our family? Do you really think that 9-5 JOB is the answer to all of our hopes and dreams? Do you really think it was our personal goal to spend the majority of our lives at work? When was the last time you saw your son/daughter play in that school volleyball game or run in their cross country meet? Isn?t it time to put your family first?

Internet Marketing Business - Your Home Based Internet Marketing Business and the Freedom Attached with it
There are various reasons why there are many individuals who want to start their own home-based Internet marketing business. Some are saying that the amount of money that they are earning from Internet marketing is higher compared to their monthly salary from their regular work. It even comes to a point that they are earning money similar to or more than the salary of their managers and department heads! This is relatively true, since there are Internet marketers who are earning as much as a hundred thousands of dollars within a month.

Work At Home Internet Home Business Opportunity
There are various opportunities for work at home Internet home business opportunities on the Internet Because of the Internet, there are many opportunities for people to be able to take care of their families and work from home and as well

Family Circus - Make Time For Family With An Internet Business
Sometimes, it seems like you don?t have a full 24 hours in a day. Between work, family, and sleep, there is no time for anything else. You never seem to have five minutes to relax, and on days when work requires overtime, you lose time with your family. In fact, it seems you never spend quality time with your children anymore. One way to get your life back under your control and manage time better is to start your own internet business. With an online business opportunity, you can decrease your work hours overall, as well as become more flexible and available for your family.