Electronic Health Record Security Analysis
In British Columbia:
When Auditor-General John Doyle and his staff investigated the security of electronic record-keeping at the Vancouver Coastal Health Authority, they found trouble everywhere they looked.
“In every key area we examined, we found serious weaknesses,” wrote Doyle. “Security controls throughout the network and over the database were so inadequate that there was a high risk of external and internal attackers being able to access or extract information without the authority even being aware of it.”
[…]
“No intrusion prevention and detection systems exist to prevent or detect certain types of [online] attacks. Open network connections in common business areas. Dial-in remote access servers that bypass security. Open accounts existing, allowing health care data to be copied even outside the Vancouver Coastal Health Care authority at any time.”
More than 4,000 users were found to have access to the records in the database, many of them at a far higher level than necessary.
[…]
“Former client records and irrelevant records for current clients are still accessible to system users. Hundreds of former users, both employees and contractors, still have access to resources through active accounts, network accounts, and virtual private network accounts.”
While this report is from Canada, the same issues apply to any electronic patient record system in the U.S. What I find really interesting is that the Canadian government actually conducted a security analysis of the system, rather than just maintaining that everything would be fine. I wish the U.S. would do something similar.
The report, “The PARIS System for Community Care Services: Access and Security,” is here.
John • March 23, 2010 1:34 PM
and in the UK there will be the NHS National Data Spine containing summary records. I wonder if that’s been looked at from a security point of view. IIRC BT are involved in one of the consortia