There’s been an interesting situation going on between a couple EHR vendors. I first saw this when I got the press release that meridianEMR filed a lawsuit against UroChart. The lawsuit claims that UroChart obtained access to meridianEMR’s data.(Note: See this comment from IT Director of meridianEMR that discusses more details of what happened and how no data was breached.)
Lawsuits aside, meridianEMR is trying to capitalize on the situation by talking about their EMR security monitoring system was what notified them of the
breach attack by UroChart. They call it their Advanced Monitoring System (AMS) and say it responds immediately to any breaches attacks and protects patient records.
I’m not sure if it’s a smart move to use a breach of their system as a way to promote their ability to protect patient records. I guess they can argue that their monitoring service was what protected their patient records. However, the lawsuit is claiming that patient records were at risk. I don’t think that’s something any EMR vendor wants tied to their name, is it?
Marketing strategy aside, this security monitoring service is interesting and I can’t say I’ve really seen something like it in any other EMR system. Sure, they all have some sort of audit tracking and trail. However, I think most EMR vendor’s strategy is not detection, but prevention. They harden their systems using the best techniques, but don’t do much to try and detect breaches. Should that be changed?
One problem with breaches is that good hackers know how to even avoid the detection part. I still remember when my friend showed me how he had hacked into a server and you could see him logged in. Then, he ran a script and you couldn’t see him anymore. I guess if you compare it to the physical world, it’s like having a camera watching the front door, but no camera on the back door. However, in the digital world there are lots of different doors, including those we don’t know about.
Some might argue that ignorance is bliss in this instance. Sure, no EMR vendor is going to admit that in public. Neither is a doctor. However, the regulations have made it pretty harsh when you know that there’s been a breach of your system. You basically have to make it known to all the world. However, if you don’t know that your EMR system has been compromised, then you have no such requirements.
I’m sure some people won’t like me saying this, but be sure that many doctors and EMR vendors have thought about this. I’m sure there were parallels in the paper world too. So, let’s not act like this is really that new. Although, certainly technology has made it possible to have much larger breaches.
One thing worth noting is that I haven’t seen a group of healthcare hackers forming. There’s no underground group of people that I’ve heard of that are trying to hack and get access to healthcare data. Financial data is much easier to monetize for a hacker than healthcare data. That’s not to say that healthcare data isn’t valuable and can’t have consequences if it’s put in the wrong hands. However, most hackers do it for the Lulz, for financial gain, or vengeance. Things could certainly change, but I haven’t seen healthcare as a prime target for hackers. I’d love to see if you have evidence that says otherwise.
If you evaluate the list of breaches that are published by HHS, this seems to agree with my above evaluation. Almost every single breach was just due to something being lost, a physical device being stolen (which you can almost guarantee they wanted the laptop and not the healthcare data which they probably didn’t even know was on the laptop), or inappropriate use by someone on a system already.
It will be interesting to see how these EMR security monitoring systems evolve. Plus, will we see more need for these type of protections and monitoring of EMR systems?