what to do if your electronic health care records are compromised
Cloud Security , Electronic Healthcare Records , Governance & Risk Management
Electronic Wellness Records: Spotlighting Risks
Unsecured Cloud Server, Open-Source EHR Flaws Put Patient Information at Risk
Electronic health records potentially tin can be exposed in many means. For instance, in one recent incident, information on thousands of patients was apparently left exposed in an unsecured cloud server. And in another, disquisitional security vulnerabilities in an open-source EHR system put patients' data at risk.
See Also: Tertiary Party Risk: Lessons on Log4j
Hither's a wait at each incident and experts' insights on lessons to learn.
Exposed EHR Data
News site TechCrunch reported on Monday that it found "thousands" of patient records exposed on the internet by nTreatment, a company that manages electronic records for doctors, including psychiatrists.
The records were in a cloud storage server hosted on Microsoft Azure containing 109,000 files, including lab examination results, doctors' notes, insurance claims and other sensitive wellness data for patients that were not encrypted and not protected with a password, TechCrunch reports.
The nTreatment data was secured on Monday after TechCrunch contacted the company. The company did non immediately respond to Data Security Media Group's request for comment.
Bigger Issues
The nTreatment incident "speaks to many recurring issues and shines a bright light on the bigger upshot of information sharing," says former healthcare CIO David Finn, an executive vice president at privacy and security consultancy CynergisTek.
The incident "started with something as basic as a cloud server not being password-protected … and then none of the data was encrypted," he says.
"Not encrypting data in motion when you lot ship it outside of your firewall is bad enough, merely now, you are going to send it to someone to shop and not require they encrypt it at balance."
To avert misconfiguration mistakes, "yous must have tools and/or processes that check to ensure that those settings are really prepare equally you want and are functioning as intended," he says.
There's a misconception that systems can exist moved or developed "in the cloud and everything is taken care of by the cloud provider," says Cathie Brownish, a vice president at the consultancy Clearwater. "Nothing tin can be farther from the truth. Cloud services have the same associated risks every bit on-bounds environments."
EHR vendors must make security a concern priority and employ services that can continuously test applications for security vulnerabilities, Dark-brown says.
"This level of testing should go part of the DevOps and application lifecycle," she says.
In a deject environments, security controls such equally strong passwords, multifactor authentication and account lockouts are critical, she says.
Open-Source EHR Flaws
In the other recent incident involving EHRs, four vulnerabilities were recently identified in OpenClinic version 0.8.2, health records management software developed by an open-source community on SourceForge, co-ordinate to security research firm Bishop Flim-flam Labs.
The vulnerabilities include insecure file upload, missing hallmark, cross-side scripting and path traversal, Bishop Fob reports.
The well-nigh astringent vulnerability is a missing authentication cheque on requests issued to the medical tests endpoint. "Anyone with the full path to a valid medical test file could access this information, which could atomic number 82 to loss of PHI for any medical records stored in the application," Bishop Fox writes.
The firm adds that there is "no version of OpenClinic available that does not suffer from the identified vulnerabilities, and the recommendation is to switch to a unlike medical records direction software."
OpenClinic did not immediately respond to ISMG's request for comment on the Bishop Fox findings.
Two EHRs With Same Name
Gerben Kleijn, senior security consultant at Bishop Trick, tells ISMG that there appear to be two unrelated software medical records packages both named "OpenClinic" on SourceForge.
In August, the Department of Homeland Security issued an advisory virtually 12 vulnerabilities contained in OpenClinic GA, a different open-source integrated hospital information management organization that is non the subject area of Bishop Play tricks's contempo advisory (see: Alerts: Flaws in Ultrasound, Open-Source Hospital Systems).
SourceForge tells ISMG: "SourceForge is just a web host, and we have no affiliation or involvement with whatever open-source software hosted on our website. We do scan projects for malware, merely those scans don't ever identify every last security vulnerability."
'Significant Risk'
It appears that the OpenClinic software that is the subject of the Bishop Fox advisory gets downloaded regularly about i,000 a times a yr, Kleijn tells ISMG. "I don't believe that the software is widely used, but since it'south a medical records program, I still think it's important to highlight its issues regardless of the size of its user base of operations."
Bishop Play a trick on says it was unable to reach OpenClinic during the vulnerability disclosure, so information technology's possible that the identified flaws will not be addressed, Kleijn says. "Migrating to a currently supported medical records plan is recommended."
Users of OpenClinic should accept ii precautions to limit the risk associated with the vulnerabilities, he says: Restrict access only to users on the internal network, and configure a firewall to allow connections only from specific, trusted IP addresses.
If the identified vulnerabilities are not fixed, there will exist significant risk to patient data for any system currently using OpenClinic, he says. "The most severe allows an unauthenticated assailant to access patient medical exam results."
If an organization is currently using OpenClinic and has it exposed to the internet, anyone could access medical data if they could successfully guess or brute-force the total URL, he adds.
Extra Diligence Needed
Actress security diligence is required when using open up-source software, Brown says. "This is peculiarly true in the case of patient information and EHR functionality.
"Open-source systems that crave loftier levels of security and privacy are going to be riskier propositions than commercial products sold and supported by i organization. Frankly, in regulated industries, y'all do not come across open up-source systems being used with critical information or operations. You will see open-source components where it makes sense, merely few organizations put their cadre business on open up-source systems."
Source: https://www.healthcareinfosecurity.com/electronic-health-records-spotlighting-risks-a-15525
0 Response to "what to do if your electronic health care records are compromised"
Post a Comment