Microsoft researchers will release a report at a security conference next month that details vulnerabilities in EMRs at more than 200 top US Hospitals, according to industry publication NETWORKWORLD.
The advance info on the study indicates that 4 different types of attacks in the study were able to evade the encryption found in many of the EMR systems on the market. The vulnerable systems use a CryptDB-based information storage system that provides fast searches and easier inclusion of legacy data from prior record systems, according to NW.
The report indicates that the risk comes when EMRs decrypt data in order to be used and store it in memory. In this state, hackers with access to the system can steal “an alarming amount of sensitive information,” the report warns. One research “attack” accessed information on 80% of the patients at 95% of the 200 hospitals targeted.
The warning comes at a time when healthcare organizations have been hit with increasing data breaches and is potentially troubling as many hospitals and healthcare groups have looked to EMR security encryption as a way protecting health information for HIPAA compliance purposes. After healthcare executives have spent billions of dollars on these systems, this study is now calling into question whether CryptDB and similar methods of encryption and access should even be used in EMRs.
Comment: There are certain truisms about encryption and other security approaches: the first is that convenience and security are mutually exclusive goals; the second is that security has to be constantly evolving to respond to increasing threats because the bad guys will never give up; and the third is that the weakest link in your security is human error.