• On MovieTome: See the TRAILER for TERMINATOR 4!
September 17, 2007 1:58 PM PDT

Study finds electronic health records vulnerable

Posted by Robert Vamosi

(Credit: CoActiv)

The results of a fifteen-month study accessing the time to patch software associated with electronic health record (EHR) systems were published today by the eHealth Vulnerability Reporting Program. The program is a collaboration of health care industry organizations, technology companies and security professionals that is attempting to establish best practices within the emerging field of electronic health records in the adoption and reliance of eHealth systems, including electronic medical records (EMR), picture archiving and communication system (PACS), and medical devices. The 39-page report found much room for improvement.

It's one thing to have your credit card information compromised--that can be replaced. It's another to have your health history hacked and made public. The report focused mainly on how medical equipment providers currently disclose vulnerabilities to customers, preventing hospitals and doctors from appropriately managing risk.

The amount of time between when a eHealth vendor is notified of a vulnerability and when that vulnerability is patched exceeded the time needed to patch in mainstream application software. For example, one medical application in the study remained unpatched after 2,211 days; another was 384 days and counting. By comparison, Brian Krebs of the The Washington Post found that the time to patch for Microsoft Internet Explorer was only 284 days.

No one organization has providence over vulnerabilities in eHealth applications, the report found. Organizations such as the Certification Commission for Healthcare Information Technology (CCHIT) and Healthcare Information Technology Standards Panel (HITSP) offer general security practices and standards, but no assessment of risks associated with reported (or unreported "zero day") threats.

The eHealth Vulnerability Reporting Program would like to see eHealth vendors collaborate with security software vendors to establish ethical testing and reporting, along with better disclosure, vendor certification and, of course, more public education of the problem.

Recent posts from News Blog
Supreme Court ignores EchoStar appeal against TiVo suit
EA Mobile, Eidos Interactive sign agreement
Sprint first to offer HTC Touch Pro
Flipping out: RIM BlackBerry Pearl Flip 8220 debuts
Sprint HTC Touch Diamond outed early
Add a Comment (Log in or register) 3 comments
Health Care's reliance on Microsoft products partly to blame.
by Microsoft_Facts September 17, 2007 5:11 PM PDT
Health care knows that without biodiversity a single virus can wipe out an entire species. Yet, health care IT in the US is nearly 100% reliant on Microsoft technologies. Nearly all practice management applications run on MSDE or SQL databases, those that do not still require Microsoft clients. Many insurance web sites are written with non-standard code that only works with IE. Until this changes health care IT systems will always be vulnerable compared to non-MS systems.
Reply to this comment
The EHVRP report is inaccessible
by arshadnoor January 8, 2008 1:51 PM PST
The 39-page report referenced in the article is inaccessible. How does one get the report? Thanks.
Reply to this comment View reply
Powered by Jive Software
advertisement

About News Blog

Recent posts on technology, trends, and more.

Add this feed to your online news reader

News Blog topics

Featured blogs

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Latest news
Business tech
Green tech
Wireless
Security
Media
Popular topics
Apple iPhone
Apple iPod
Best hybrid cars
Cell phones
Dell
GPS
CNET sites
CNET TV
Downloads
News
Reviews
Shopper.com
Site map
More information
Newsletters
Corrections
Customer Help Center
RSS
What's new
About CNET