“Unfortunately, a lot of times you run into vendors who have poorly coded software,” Delano said. “That’s the case here.”
After an inquiry by The Post, a researcher at the University of Florida, Shawn Merdinger, found flaws in the use of wireless iPads by new medical residents at the University of Chicago medical center.
Merdinger found a manual for the iPad initiative posted online, publishing a single user name and password for all the residents to use a shared Dropbox account. The idea was to promote collaboration.
But the arrangement opened the medical center to “social engineering” attacks, where hackers plant documents, such as PDFs, that are loaded with malicious code. Once the documents are uploaded, the iPads could become infected, handing over control of hospital networks to hackers.
After The Post alerted the medical center, officials closed the gap.
“This Dropbox account was intended to be used only to share educational material among residents,” Cindy Kitching-Pena, director of the Department of Medicine Education Programs, said in a statement. “Nevertheless, the username and password to the account have been changed, and the account will be terminated.”
In February 2009, Congress mandated the widespread adoption of electronic health records (EHR) computer systems as part of the stimulus legislation known as the American Recovery and Reinvestment Act. The law included as much as $36 billion in stimulus funding to promote the “meaningful use” of such systems. It was the Obama administration’s first big step toward health-care reform.
Since then, tens of thousands of doctors, hospitals and other health-care operations have received more than $8.1 billion in government payments, and they have begun using the systems to digitize and share millions of patients’ records in ways that proponents say will save billions of dollars and improve care.
The law required electronic health records systems to be certified by independent labs to meet an array of standards established by HHS, but those standards include few security provisions, according to documents and interviews.
Officials have known for years about vulnerabilities in the systems. In 2007, the eHealth Vulnerability Reporting Program, a group that included senior health-care officials, concluded that “commercial EHR systems are vulnerable to exploitation given existing industry practices” and that the “skill level required to exploit is low.”
Two years ago, Williams, the North Carolina State researcher, and her colleagues found common flaws in four systems that would expose users’ login information and enable outsiders to access patients’ records.
The group’s report urged rigorous security testing before electronic health record vendors could be certified for stimulus funding.
Federal officials have not gone that far, but Farzad Mostashari, the national coordinator for health information technology at HHS, said they “have taken important steps with vendors to make electronic health records more secure,” such as requiring encryption of data on laptops.
Among the systems that HHS has certified is OpenEMR, an open-source software developed by a nonprofit charitable group called OEMR. The software can be downloaded for free.
Williams’s group — along with several white-hat hackers — has found hundreds of vulnerabilities in the system.
OEMR’s leaders acknowledged the flaws but said it would take an experienced hacker to exploit them. Chief technology officer Kevin Yeh said his group fixes problems as soon as it learns about them and that other Web-based systems probably have the same weaknesses.
He added that federal certification standards “are not sufficient.”