EHR Vendors' Disclosures Are Latest Security Risk RemindersQRS Inc. Reports Patient Portal Hack; Philips Reveals TASY EMR Security Flaws
A recent large hacking incident and a separate vulnerability disclosure involving two different vendors' products related to electronic health records serve as the latest reminders of the potential risks these systems can pose to patients' protected health information.
Tennessee-based QRS Inc., vendor of the Paradigm practice management and electronic health records systems, on Oct. 22 reported to the Department of Health and Human Services a hacking IT incident involving a patient portal server affecting nearly 320,000 individuals' PHI.
Meanwhile, in a separate development, medical technology vendor Philips Healthcare and the Cybersecurity and Infrastructure Security Agency on Thursday each issued security advisories concerning two SQL vulnerabilities identified in the Philips TASY Electronic Medical Record HTML5 system, versions 3.06.1803 and prior.
The Philips EMR vulnerabilities, if exploited, pose risks to patient data confidentiality, the advisories say.
The two situations "are another reminder of how vulnerable the entire healthcare system is from the standpoint of cybersecurity," says George Jackson, a senior principal consultant at privacy and security consultancy Clearwater.
"One is an example of a serious vulnerability requiring a proactive announcement in the efforts to try to avoid exploitation. The other is an example of the aftermath of a successful exploitation," he says.
"The ones I worry about most are the vulnerabilities and exploitations we don’t know about."
In a breach notification statement, QRS notes that it hosts the electronic patient portal for certain healthcare providers, and it discovered on Aug. 26 that an attacker had accessed a single QRS-dedicated patient portal server from Aug. 23 to Aug. 26.
Upon discovering the attack, QRS says it immediately took the server offline, began an investigation and notified law enforcement authorities.
The investigation determined that the attacker may have acquired personal information stored on that specific server, including patients' names, addresses, dates of birth, Social Security numbers, patient identification numbers, portal usernames and/or medical treatment or diagnosis information, QRS says.
"This attack did not involve any other QRS systems or the systems of any of QRS’s clients," the company says.
QRS says there is no indication of identity theft or fraud occurring as a result of the incident. The company's breach notification statement does not indicate whether QRS is offering affected individuals complimentary credit and identity monitoring.
QRS did not immediately respond to Information Security Media Group's request for additional details about the data breach.
Other Hacking Incidents
QRS is among the latest providers of practice management, electronic health records and related healthcare supply chain software to report recent major breaches involving a hacking incident (see: PHI 'May Have Been Removed' In Vendor's Ransomware Attack).
In May, San Antonio-based CaptureRx, which provides healthcare technology and administrative services to hundreds of U.S. hospitals and others, reported a breach affecting more than 1.6 million individuals (see: Lawsuits Against CaptureRX Pile Up, And So Do Victim Counts).
Also, Practicefirst, an Amherst, New York-based medical management services provider, on July 1 reported to HHS' Office Civil Rights a hacking breach that occurred late last year affecting more than 1.2 million individuals
Philips EMR Vulnerabilities
The two SQL injection vulnerabilities discovered in certain Philips TASY EMR products were identified by an independent researcher, CISA notes in its advisory about the issues.
If exploited, a successful SQL injection attack could result in confidential patient data being exposed or extracted from the TASY database, Philips says. Attackers also could gain unauthorized access to TASY EMR systems or accounts, which could lead to a denial-of-service attack to the database, Philips says.
"At this time, Philips has received no reports of exploitation of these vulnerabilities or incidents from clinical use that we have been able to associate with this problem," the company says.
Philips also says its analysis shows that it is unlikely that the vulnerabilities would affect clinical use and indicates there is no expectation of patient hazard due to this issue.
"It is important to note that to exploit these vulnerabilities, an attacker must necessarily have valid access to the system - session authenticated with valid TASY username and password," Philips says.
According to the company, the affected TASY products are mostly deployed in Argentina, Brazil, Colombia, the Dominican Republic and Mexico.
Philips recommends that affected customers update TASY EMR HTML5 to version 3.06.1804 or later with the latest available service pack in which both vulnerabilities are remediated, the company says.
The company also recommends using best practices for the management of credentials, including making them personal and nontransferable and changing the password periodically.
Philips also recommends avoiding posting access to the TASY system on the internet.
Jackson says the types of vulnerabilities identified in the Philips TASY EMR are common issues in healthcare software and devices. "The speed at which healthcare technology is advancing brings enormous benefits to us all. The price we pay is that as our systems become more and more complex, the potential for unintended vulnerabilities to present themselves also becomes more frequent."
Other experts note that the pervasive use of electronic medical records systems by most healthcare providers also comes with a variety of potential security and privacy risks, as well as vendor risk management concerns.
"EMRs are found today in every hospital. They keep all of the patient’s data, treatments, lab results, imaging diagnosis summaries and such," says Elad Luz, the head of research at healthcare security firm CyberMDX.
Most EMR solutions integrate billing, reception of medical device telemetry and other features, he notes.
"Anything that can impact the workflow within the hospital has the potential to be harmful to patients, and we must continue to raise the bar across the industry so that hackers look elsewhere for their next score," Luz says.
As for the two security weaknesses identified in certain versions of the Philips TASY EMR, he says, "Both vulnerabilities require the bad actor to first successfully authenticate with the EMR, meaning they already had access to some data and functionality of it."
"It is possible that different EMR users were given different permissions, and in such a case, the vulnerability may allow for a user with limited permissions unlimited access," posing risks to data confidentiality, he says.
"Unlike other vulnerabilities in the medical world, these can’t be used to directly impact the patient - such as in the case of manipulating a device to stop working or actively adjust the medication administered.
"However that doesn’t mean there isn’t risk. Using the vulnerabilities for data altering may result in false diagnoses and bad treatment, which could ultimately put patients at risk."