Patient data stored in existing electronic health record (EHR) systems isn't very secure, according to new reports from the HHS Office of Inspector General (OIG). In an audit of seven different hospitals, the OIG uncovered 151 "vulnerabilities," of which 124 were determined to be "high impact." That term means the vulnerabilities could result in costly losses of tangible assets, may significantly harm an organization's reputation, and may even cause injury or death to patients.
While the OIG did not reveal the identities of the seven hospitals audited, it did reveal that they were located in California, Georgia, Illinois, Massacusetts, Missouri, New York and Texas. No physician practices were included in the audit, although the vulnerabilities could easily apply to EHR systems used by practices.
Here's a sampling of the "high-impact" problems the OIG uncovered at the hospitals:
-
Unprotected wireless networks
-
Outdated or missing antivirus software
-
Data stored on portable devices and media (i.e., thumb drives, CDs, DVDs) that were not encrypted
-
Lack of vendor support for the operating systems (i.e. Windows, Macintosh, Linux) in use
-
Lack of system event logging or review
-
Shared user accounts
-
Users on computer systems given too much access and administrative rights
The OIG has published a separate report with a list of recommendations for the HHS Office of the National Coordinator for Health Information Technology (ONC), which it says should be implemented via additional rulemaking. The ONC has apparently "concurred" with the recommendations, so this could pave the way for new health information technology compliance rules.