Healthcare // Security & Privacy
News
12/5/2013
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Hacking Electronic Health Records

How a dangerous security flaw discovered in one of the most pervasive electronic medical record platforms in the U.S. was found and fixed before it could do damage.

Graduate student Doug Mackey was starting to wonder whether his research on the security of one of the nation's most ubiquitous electronic health records (EHR) software platforms was so interesting after all. A month of poking around for vulnerabilities in the simulated EHR system he had fashioned in a makeshift lab in his apartment hadn't turned up anything out of the ordinary in the code.

But then one day this spring, he spotted something in a second interface he was testing that shocked him: "It was very quickly obvious that it had no real security at all," says Mackey, a student in Georgia Tech's information security program. "I was quite surprised."

Mackey had discovered a major logic flaw in a key component of the code in the so-called VistaA (Veterans Health Information Systems and Technology Architecture) software, a platform originally built by the U.S. Veterans Administration for internal use at its hospitals and clinics, and later handed over to the open-source community to further its development and adoption across the entire health-care industry. It's one of the most widely adopted platforms for EHR in the country by VA and commercial hospitals and clinics, and it has also gained some traction overseas.

Read the rest of this article on Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
100%
0%
TerryB,
User Rank: Ninja
12/5/2013 | 1:49:58 PM
Re: More security needed
Yeah, 3rd party, middleware security solutions are the answer. Sure they are.

 

Go watch the old movie The Net and then come back and post some more on this. And, no, don't post about how Sandra Bullock is hottest programmer ever, if her character was real.
JABUSAMRA208
100%
0%
JABUSAMRA208,
User Rank: Apprentice
12/5/2013 | 9:55:43 AM
Re: hack
Good question, David. In the case of DrFirst, they've brought in some big guns from the medical and technology fields, but your question is very valid.
David F. Carr
100%
0%
David F. Carr,
User Rank: Author
12/5/2013 | 9:41:13 AM
Re: hack
This one was a government IT system and one that's been around for a while. I wonder if commercial products would be more or less vulnerable.
JABUSAMRA208
50%
50%
JABUSAMRA208,
User Rank: Apprentice
12/5/2013 | 9:07:20 AM
More security needed
With the proliferation of electronic health records, we will unfortunately be seeing more of these stories. Security will become increasingly important in the recording, storing and transferring of information. The private sector is becoming more attentive to this area. with companies like DrFirst providing robust solutions for securing not only health care information, but also for the communication among healh care providers.
Ariella
50%
50%
Ariella,
User Rank: Ninja
12/5/2013 | 8:57:52 AM
hack
This one was caught, but it does make you wonder about all the vulnerabilities that were not spotted before a hacker makes use of them.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.