Analyzing ONC’s Interoperability Roadmap
10-Year Plan Shines Spotlights Privacy, Security Challenges
… Security expert Keith Fricke, principal consultant at security consulting firm tw-Security describes the document as “a very good start in defining where things need to head,” but sees room for improvement.
“A few areas of the roadmap were disappointing or concerning,” he says. “The roadmap sets expectations for vendors to step up to help achieve interoperability. Most EHR vendors still are providing products that do not support encrypting their databases at rest.”
… More cooperation by vendors is necessary for the healthcare industry to meet various objectives set by the roadmap, Fricke contends.
For instance, because “most EHR vendors are still not supporting encryption of their databases at rest, that puts the burden on hospitals to invest in hardware-encrypted SAN storage on which to operate their EHR,” Fricke says. “Doing so becomes a compensating control, and that is if the vendor supports running on encrypted SAN storage – some do not support even that. Are we to believe that if vendors have been failing to address the encryption issue, they will step up and meet the requirements of securing interoperability?”
Fricke also says the roadmap document lacks details on the need for consumer education. “The general public is not as aware of cybersecurity risks as they should be,” he says. “Many of these same people will likely access their personal medical record from a personally owned computer that is lacking current software patches or current anti-virus software.”
The roadmap doesn’t sufficiently address security threats facing patient portals, including sophisticated phishing attacks and malware, Fricke contends. The document calls for enhanced authentication capabilities, which to some extent may be able to combat these threats, he notes. “If a patient portal is compromised, that will be a great setback for interoperability adoption,” he says.
Fricke’s particularly concerned about “watering hole attacks,” an emerging threat. “Criminals target a particular group of individuals based on industry, organizational affiliation or maybe even based on geographic region,” he says. “If criminals can use malware to compromise a patient’s home computer and learn which patient portal they access, the criminals may find creative ways to target neighboring populations with phishing emails that compromise more access to the portals.”