Pediatric EMR Vendor Hack Affects 2.2 Million

Incident Spotlights Multiple Common But Serious Data and Vendor Concerns

… Complicating matters, pediatric data typically has longer data retention requirements, says Wendell Bobst, senior security consultant at privacy and security consultancy tw-Security. “This means that pediatric providers tend to keep data longer than adult patients,” he says.

… Connexin provides its Office Practicum as a cloud-based solution. The company’s reference to “an offline set of patient data” implies that their application, as managed in their AWS instance, was not hacked, but rather the “unauthorized party” accessed a copy that was stored in an on-premises server, Bobst says.

“Connexin may periodically receive new client data from other EMRs and convert that data to their platform,” he says. The live data may be used to complete or test the conversion process. Connexin may also test its version upgrades with live data in a test environment to project the duration of the upgrade and ensure client data upgrades occur successfully.

… Any offline copies of data should be encrypted, retained in a location monitored for access, and require authorization to “check out” the data from the archive, Bobst says.

“Tagging ‘PHI – Customer X’ provides a visual cue to support personnel and conversion analysts,” he suggests. Also, data loss prevention technologies, which help detect PHI that is accessed or leaving the organization, are a critical control for PHI outside of an application, Bobst says.

 

For more information or to schedule a FREE initial consultation – contact tw-Security.
Read More