Shellshock & Why EHRs Need Updating - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Healthcare // Security & Privacy
Commentary
10/22/2014
09:06 AM
Connect Directly
Twitter
LinkedIn
RSS
50%
50%

Shellshock & Why EHRs Need Updating

Nearly half of all security breaches occur in healthcare, and outdated medical records systems make data more vulnerable. An up-to-date EHR system can help solve security concerns, save money, and improve patient care.

Healthcare IT systems are ripe for security breaches. Medical records are especially data-rich, and thus are coveted in the circles within which stolen information is circulated. As a point of comparison, while the going rate for an illegally obtained credit card number is a few dollars, a stolen medical record can frequently be sold for upwards of $50.

There is incentive for attacks on health records systems, and they happen frequently. In 2013, 43.8% of security breaches occurred in healthcare, according to the Identity Theft Resource center. Considering that compromised health data can lead to not only identity theft, but also to misdiagnosis as a result of inaccurate medical records, the stakes are high.

But healthcare IT systems are especially at risk, for several reasons. For starters, many of them are old. Most were installed between 1998 and 2005. Over the years, these systems have been updated and redesigned to keep them functional. But as edits are layered on over time, a system becomes more architecturally complex and loses coherence, filling with spaghetti code. Patching a wobbly system that has been accumulating revisions for 16 years is difficult. Changing one part of the code will inevitably affect the rest of the system in ways that are frequently unpredictable, sometimes devastating, and always frustrating.

[Your financial data isn't the only thing that needs to be protected. Read Stolen Medical Data Is Now A Hot Commodity.]

It seems that a new security threat emerges every day. To name a few issues that have made recent headlines, Heartbleed wrought havoc in July, affecting healthcare organizations. Just a few weeks ago, Shellshock, a vulnerability in the Bash shell used regularly in Unix-based systems, was exposed -- this vulnerability enables potential perpetrators to craft malicious code that can then be used to gain control of an affected server. The Health Information Trust Alliance reported that the Bash/Shellshock vulnerability should be a major concern for healthcare providers.

Staying up to date on security is an enormously stressful undertaking for any organization. However, healthcare IT systems have additional burdens. There are government-mandated meaningful use criteria to meet, for example. Also, healthcare organizations are expected to have adopted ICD-10 diagnostic criteria by this month -- despite the fact that only 17% of organizations report that doing so is a priority.

It's a major problem. Where should healthcare organizations target their focus? Which comes first: updates to ensure patient security or updates to systems that will improve patient outcomes? It's an unwinnable predicament; a Sophie's choice.

Truthfully, the solution to the security problem is the same as the solution to meeting meaningful use criteria (and it'll even fix your ICD-10 problem): Get a new, up-to-date, medical records system.

The price tag is steep: Kaiser Permanente's system, for example, cost approximately $4 billion. But before you dismiss or postpone the idea, consider the savings in other areas:

  • Saving programmer time: A new system should be more architecturally coherent and free from the code-bloat that older systems have acquired. This not only makes it easier to patch security threats, it also simplifies patching any kind of issue. This can save substantial amounts of time for programmers by reducing the debugging they need to do, leaving them free to develop new features, customize a system to an organization, or keep a system up-to-date with meaningful use criteria.
  • Meeting criteria: Newer systems are equipped to meet meaningful use criteria and require less revision to do so. Sure, there's a customization process when working with the vendor to install a new system, but a new system is much closer to the end goal than a system from 1998.
  • Improving patient outcomes: Last month, I wrote about the value of electronic medical records systems, and the ways in which EHRs can improve treatment and patient outcomes. Sharing patients' health records with them (as specified in the second-stage meaningful use criteria) reduces the potential for misdiagnosis and increases patient engagement.

Of course, the barriers to updating electronic health records remain: It will be expensive, time-consuming, and difficult to update the surrounding infrastructure. However, improvements in this area will lead to invaluable gains for both payers and providers. Updating sooner rather than later is an important solution for security concerns.

The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.

Michael A.M. Davies is founder and chairman of Endeavour Partners, a strategy consulting firm specializing in mobile and digital technology. For 25 years, he has worked with telcos, device manufacturers, service providers, infrastructure ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Gary Scott
50%
50%
Gary Scott,
User Rank: Moderator
11/4/2014 | 6:26:49 PM
Most healthcare IT systems were installed between 1998 and 2005.
A large wave of information will be at risk when healthcare providers finally dispose of their old IT equipment.  The equipment will have no value, but the information stored on the hard drives will still be worth $50 per record.

Remember to destroy old hard drives before recycling the old equipment.  HIPPA requirements don't stop when you give equipment to a recycling company.
News
8 AI Trends in Today's Big Enterprise
Jessica Davis, Senior Editor, Enterprise Apps,  9/11/2019
Slideshows
IT Careers: 10 Places to Look for Great Developers
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/4/2019
Commentary
Cloud 2.0: A New Era for Public Cloud
Crystal Bedell, Technology Writer,  9/1/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Data Science and AI in the Fast Lane
This IT Trend Report will help you gain insight into how quickly and dramatically data science is influencing how enterprises are managed and where they will derive business success. Read the report today!
Slideshows
Flash Poll