Electronic health record systems remain vulnerable to security risks despite advances in developing certification processes for EHR systems, according to a 15-month study by the eHealth Vulnerability Reporting Program, Healthcare IT News reports.The researchers surveyed more than 850 provider organizations and tested seven EHR systems, including five that had been certified by the Certification Commission for Healthcare IT. The study evaluated current industry information practices and benchmarked health data security practices against other industries.
The study found that:
Product certifications do not address application hardening or known vulnerability reporting but help evaluate functionality, interoperability and security capabilities (Monegain, Healthcare IT News, 9/17);
EHR vulnerabilities could be identified using standard tools and techniques; and
EHR vendors either are not disclosing or are inadequately disclosing vulnerabilities to customers, preventing organizations from appropriately managing risks or adopting controls.In addition, researchers could not identify an organization that has established guidelines to appropriately manage risks associated with EHR systems, prompting the conclusion that no organization has the responsibility, charter or mission to address security vulnerabilities in EHR systems (eHVRP press release, 9/17). The study advocated security enhancements to EHR products and strategies to manage the risk of privacy breaches (Healthcare IT News, 9/17).