Information in electronic health-record systems remains vulnerable, according to a 15-month study assessing EHR security.
The eHealth Vulnerability Reporting Program found commercial EHR systems can be exploited given existing industry development and disclosure practices, and said more steps must be taken to protect data stored in them.
EHR systems assessed during the study could be accessed and personal information gained through standard tools and techniques. The study did not find any specific industry organization that has the responsibility to address security vulnerabilities, or that has established guidelines to manage risks associated with electronic health systems. In addition, vendors are inadequately disclosing system vulnerabilities to customers.
"The industry is investing in, and relying heavily on, the promise that these systems offer through improvements in quality and efficiency of care. As such, we must take every measure possible to protect these systems, avoid any disruption in their use and to ensure consumer confidence is maintained," Robert Mandel, vice president of healthcare services for Blue Cross and Blue Shield of Massachusetts and eHVRP board member, said in a news release.
The Dallas-based reporting program is a collaborative of healthcare industry organizations, technology companies and security professionals to establish guidelines that ensure EHR systems are used with high levels of privacy and security. The study surveyed 850 provider organizations and tested seven EHR systems.