Aneesh Chopra, America’s first Chief Technology Officer and member of the SMART Platforms Advisory Committee, has published a new book called Innovative State: How New Technologies Can Transform Government. The SMART Project’s kickoff ITdotHealth meeting in 2009 is among the formative events he describes in Chapter 4, “Opening the Playbook.” Here he is seen with Ken Mandl at the Harvard Book Store, where he discussed the book on May 21. A video of the talk is provided by WGBH.
Our new advisory committee, made up of member organizations with strategic interest in transforming how the healthcare enterprise uses data, will play a critical role in guiding the SMART Platform toward broad adoption and use.
Last week I reported on a set of security vulnerabilities that affected multiple EHR vendors and other Health IT systems.
I initially discovered the vulnerability in a single Web-based EHR system and successfully reported it directly to that vendor.
But my subsequent journey into the world of EHR vulnerability reporting left me deeply concerned that our EHR vendors do not have mature reporting systems in place. Patient health data are among the most personal, sensitive aspects of our online presence. They offer an increasingly high-value target for identity theft, blackmail, and ransom. It’s time for EHR vendors to take a page from the playbook of consumer tech companies by instituting the same kinds of security vulnerability reporting programs that are ubiquitous on the consumer Web.
I’ll lead with the key message here, and provide supporting evidence below: HL7 and EHR vendors need to institute security vulnerability reporting programs!
Continue reading “Disturbing state of EHR Security Vulnerability Reporting”
For background, see my previous blog post describing the details of three security vulnerabilities in C-CDA Display using HL7’s CDA.xsl.
Last month I discovered a set of security vulnerabilities in a well-known commercial EHR product that I’ll pseudonymously call “Friendly Web EHR”. Here’s the story…
I was poking around my account in Friendly Web EHR, examining MU2 features like C-CDA display and Direct messaging. I used the “document upload” feature to upload some C-CDAs from SMART’s Sample C-CDA Repository. At the time, I was curious about the user experience. (Specifically, I was bemoaning how clunky the standard XSLT-based C-CDA rendering looks.) I wondered how the C-CDA viewer was embedded into the EHR. Was it by direct DOM insertion? Inline frames? I opened up Chrome Developer Tools to take a look.
Continue reading “Case study: security vulnerabilities in C-CDA display”
TL;DR: If you’re using XSLT stylesheets to render C-CDAs in your EHR, make sure you understand the security implications. Otherwise you could be vulnerable to a data breach.
This blog post describes security issues that have affected well-known 2014 Certified EHRs.. Please note that I’ve already shared this information privately with the Web-based EHR vendors I could identify, and I’ve waited until they were able to investigate the issues and (if needed) repair their systems.
Last month I observed a set of security vulnerabilities in XSLT “stylesheets” used to display externally-supplied C-CDA documents in many EHRs. To be specific: the CDA.xsl stylesheet provided by HL7 (which has been adopted by many EHR vendors) can leave EHRs vulnerable to attacks by maliciously-composed documents.
Continue reading “Security vulnerabilities in C-CDA Display using CDA.xsl”
InformationWeek Healthcare, February 25, 2014 — Mark Braunstein
We’ve seen health informatics booms and busts before — will this one be different?
I’ve been attending HIMSS for decades, and in my view, the exhibit hall is the place to get a true pulse of the industry and the field in general. Over the years we’ve seen booms and busts. I remember HIMSS in my hometown of Atlanta during the heyday of health information exchange in the 90s, when the regional phone companies (remember them?) had huge exhibits touting their entry into the health informatics space…
Healthcare Informatics, February 19, 2014 — David Raths
A New HL7 Draft Standard May Boost Web Services Development
Standards development work in healthcare is a challenging, often thankless task, and definitely more of a marathon than a sprint. It isn’t often that a proposed standard garners genuine enthusiasm among people working on interoperability issues, but that is what is happening with HL7 Fast Healthcare Interoperability Resources (FHIR)…
Last week I received an e-mail asking how FHIR expresses Uncertainty and Negation. It was a general inquiry, but also asked how FHIR might express a specific clinical statement like “Intolerant to opiods, no known other medication ADEs, and no known environmental/food allergens”.
Here’s what I said…
Continue reading “How does FHIR express uncertainty and negation?”
The winner of the 2011 SMART Apps for Health Challenge is in the spotlight once again.
Polyglot Systems’ medication instruction app, Meducation, was implemented at UConn Health Center in March 2013. By August the software had significantly improved patient satisfaction scores on certain HCAHPS measures, according to a report in BioPortfolio.
Now UConn’s own news site, UConn Today, features a video of hospitalist Dr. Wendy Miller describing in further detail how valuable the app has been to patients and caregivers at the center.
SMART, i2b2, and other open-source technologies made possible by the federal $48B investment in health IT will soon be used as the foundation of SCILHS: the Scalable Collaborative Infrastructure for a Learning Health System. Read the full report from the Harvard Medical School news office.
Based at Harvard Medical School and operating out of 10 health care sites from Massachusetts to Texas, SCILHS will be one of 29 networks in the national Patient-Centered Clinical Research Network (PCORnet). Pictured below are members of the network who made it through the snow to attend the official kickoff meeting held January 22–23 in Washington, D.C.
You must be logged in to post a comment.