News

Disturbing state of EHR Security Vulnerability Reporting

Last week I reported on a set of security vulnerabilities that affected multiple EHR vendors and other Health IT systems.

I initially discovered the vulnerability in a single Web-based EHR system and successfully reported it directly to that vendor.

But my subsequent journey into the world of EHR vulnerability reporting left me deeply concerned that our EHR vendors do not have mature reporting systems in place. Patient health data are among the most personal, sensitive aspects of our online presence. They offer an increasingly high-value target for identity theft, blackmail, and ransom. It’s time for EHR vendors to take a page from the playbook of consumer tech companies by instituting the same kinds of security vulnerability reporting programs that are ubiquitous on the consumer Web.

HL7 and EHR Vendors must address security reporting

I’ll lead with the key message here, and provide supporting evidence below: HL7 and EHR vendors need to institute security vulnerability reporting programs!
Continue reading “Disturbing state of EHR Security Vulnerability Reporting”

Case study: security vulnerabilities in C-CDA display

For background, see my previous blog post describing the details of three security vulnerabilities in C-CDA Display using HL7’s CDA.xsl.

Last month I discovered a set of security vulnerabilities in a well-known commercial EHR product that I’ll pseudonymously call “Friendly Web EHR”. Here’s the story…

The story: discovery and reporting

I was poking around my account in Friendly Web EHR, examining MU2 features like C-CDA display and Direct messaging. I used the “document upload” feature to upload some C-CDAs from SMART’s Sample C-CDA Repository. At the time, I was curious about the user experience. (Specifically, I was bemoaning how clunky the standard XSLT-based C-CDA rendering looks.) I wondered how the C-CDA viewer was embedded into the EHR. Was it by direct DOM insertion? Inline frames? I opened up Chrome Developer Tools to take a look.
Continue reading “Case study: security vulnerabilities in C-CDA display”

Security vulnerabilities in C-CDA Display using CDA.xsl

TL;DR: If you’re using XSLT stylesheets to render C-CDAs in your EHR, make sure you understand the security implications. Otherwise you could be vulnerable to a data breach.

This blog post describes security issues that have affected well-known 2014 Certified EHRs.. Please note that I’ve already shared this information privately with the Web-based EHR vendors I could identify, and I’ve waited until they were able to investigate the issues and (if needed) repair their systems.

Last month I observed a set of security vulnerabilities in XSLT “stylesheets” used to display externally-supplied C-CDA documents in many EHRs. To be specific: the CDA.xsl stylesheet provided by HL7 (which has been adopted by many EHR vendors) can leave EHRs vulnerable to attacks by maliciously-composed documents.
Continue reading “Security vulnerabilities in C-CDA Display using CDA.xsl”

HIMSS14: Health IT’s Next Boom Cycle

HealthCare_InformationWeek_Logo

InformationWeek Healthcare, February 25, 2014 — Mark Braunstein
We’ve seen health informatics booms and busts before — will this one be different?
I’ve been attending HIMSS for decades, and in my view, the exhibit hall is the place to get a true pulse of the industry and the field in general. Over the years we’ve seen booms and busts. I remember HIMSS in my hometown of Atlanta during the heyday of health information exchange in the 90s, when the regional phone companies (remember them?) had huge exhibits touting their entry into the health informatics space…

Read more

Top Ten Tech Trends: Catching FHIR

healthinformatics-techtrends

Healthcare Informatics, February 19, 2014 — David Raths
A New HL7 Draft Standard May Boost Web Services Development
Standards development work in healthcare is a challenging, often thankless task, and definitely more of a marathon than a sprint. It isn’t often that a proposed standard garners genuine enthusiasm among people working on interoperability issues, but that is what is happening with HL7 Fast Healthcare Interoperability Resources (FHIR)…

Read more

How does FHIR express uncertainty and negation?

Last week I received an e-mail asking how FHIR expresses Uncertainty and Negation. It was a general inquiry, but also asked how FHIR might express a specific clinical statement like “Intolerant to opiods, no known other medication ADEs, and no known environmental/food allergens”.

Here’s what I said…
Continue reading “How does FHIR express uncertainty and negation?”

UConn Health Video Vouches for Value of Meducation

The winner of the 2011 SMART Apps for Health Challenge is in the spotlight once again.

Polyglot Systems’ medication instruction app, Meducation, was implemented at UConn Health Center in March 2013. By August the software had significantly improved patient satisfaction scores on certain HCAHPS measures, according to a report in BioPortfolio.

Now UConn’s own news site, UConn Today, features a video of hospitalist Dr. Wendy Miller describing in further detail how valuable the app has been to patients and caregivers at the center.

Screen shot 2014-01-24 at 4.15.37 PM

The Power of Shared Data

SMART, i2b2, and other open-source technologies made possible by the federal $48B investment in health IT will soon be used as the foundation of SCILHS: the Scalable Collaborative Infrastructure for a Learning Health System. Read the full report from the Harvard Medical School news office.

Based at Harvard Medical School and operating out of 10 health care sites from Massachusetts to Texas, SCILHS will be one of 29 networks in the national Patient-Centered Clinical Research Network (PCORnet). Pictured below are members of the network who made it through the snow to attend the official kickoff meeting held January 22–23 in Washington, D.C.

PCORnet Kickoff Attendees

C-CDA Endoscopy, or
Improving Clinical Document Exchange

SMART C-CDA infographic -- click to enlarge
Click infographic for full-size PDF

By David Kreda and Joshua Mandel

2014 will see wide-scale production and exchange of Consolidated CDA documents among healthcare providers. Indeed, live production of C-CDAs is already underway for anyone using a Meaningful Use 2014 certified EHR. C-CDA documents fuel several aspects of meaningful use, including transitions of care and patient-facing download and transmission.

This impending deluge of documents represents a huge potential for interoperability, but it also presents substantial technical challenges. We forecast these challenges with unusual confidence because of what we learned during the SMART C-CDA Collaborative, an eight-month project conducted with 22 EHR and HIT vendors.

Continue reading “C-CDA Endoscopy, or
Improving Clinical Document Exchange”

PCORI Award Will Support SMART/i2b2 Efforts Toward a Learning Health System

The Patient-Centered Outcomes Research Institute (PCORI) announced today that it will fund an exciting new venture for SMART and collaborators. The Scalable Collaborative Infrastructure for a Learning Health System—SCILHS (pronounced “Skills”)—will use SMART-enabled i2b2 at the following ten sites to help build a National Patient-Centered Clinical Research Network:

Continue reading “PCORI Award Will Support SMART/i2b2 Efforts Toward a Learning Health System”