Healthcare // Security & Privacy
News
12/5/2013
08:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Hacking Electronic Health Records

How a dangerous security flaw discovered in one of the most pervasive electronic medical record platforms in the U.S. was found and fixed before it could do damage.

Graduate student Doug Mackey was starting to wonder whether his research on the security of one of the nation's most ubiquitous electronic health records (EHR) software platforms was so interesting after all. A month of poking around for vulnerabilities in the simulated EHR system he had fashioned in a makeshift lab in his apartment hadn't turned up anything out of the ordinary in the code.

But then one day this spring, he spotted something in a second interface he was testing that shocked him: "It was very quickly obvious that it had no real security at all," says Mackey, a student in Georgia Tech's information security program. "I was quite surprised."

Mackey had discovered a major logic flaw in a key component of the code in the so-called VistaA (Veterans Health Information Systems and Technology Architecture) software, a platform originally built by the U.S. Veterans Administration for internal use at its hospitals and clinics, and later handed over to the open-source community to further its development and adoption across the entire health-care industry. It's one of the most widely adopted platforms for EHR in the country by VA and commercial hospitals and clinics, and it has also gained some traction overseas.

Read the rest of this article on Dark Reading.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
100%
0%
TerryB,
User Rank: Ninja
12/5/2013 | 1:49:58 PM
Re: More security needed
Yeah, 3rd party, middleware security solutions are the answer. Sure they are.

 

Go watch the old movie The Net and then come back and post some more on this. And, no, don't post about how Sandra Bullock is hottest programmer ever, if her character was real.
JABUSAMRA208
100%
0%
JABUSAMRA208,
User Rank: Apprentice
12/5/2013 | 9:55:43 AM
Re: hack
Good question, David. In the case of DrFirst, they've brought in some big guns from the medical and technology fields, but your question is very valid.
David F. Carr
100%
0%
David F. Carr,
User Rank: Author
12/5/2013 | 9:41:13 AM
Re: hack
This one was a government IT system and one that's been around for a while. I wonder if commercial products would be more or less vulnerable.
JABUSAMRA208
50%
50%
JABUSAMRA208,
User Rank: Apprentice
12/5/2013 | 9:07:20 AM
More security needed
With the proliferation of electronic health records, we will unfortunately be seeing more of these stories. Security will become increasingly important in the recording, storing and transferring of information. The private sector is becoming more attentive to this area. with companies like DrFirst providing robust solutions for securing not only health care information, but also for the communication among healh care providers.
Ariella
50%
50%
Ariella,
User Rank: Ninja
12/5/2013 | 8:57:52 AM
hack
This one was caught, but it does make you wonder about all the vulnerabilities that were not spotted before a hacker makes use of them.
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.