Thursday, August 6, 2020

BH20: The Dark Side of the Cloud - How a Lack of EMR Security Controls Helped Amplify the Opioid Crisis

Mitchell Parker, CISO, Indiana University Health

The Opioid crisis has caused mass addiction and broken up families and support systems. Why is this of interest to Black Hat? A major root cause of the crisis was due to underhanded manipulation of an Electronic Medical Record (EMR) system.

Practice Fusion, now a division of Allscripts. They had advertisements in their EMR, which seemed like a violation of the Stark Act.   Many smaller practices used them, because they couldn't afford better systems. Had over 100K customers at their peak.

Many hospitals and small practices are losing money or barely staying afloat - so they were using this system, as it was 'free'.

EMRs are digital version of paper records.  They can be on mobile, desktop, browser or application - often with remote access, as physicians are overworked, too, and would rather complete their charting from home.

EMRs need to be certified to be eligible for federal reimbursement, and are meant to be kept up to date. Lots of HIPAA violations are caught in the big EMR companies, so it's hard to say what's happening in the smaller providers. 

These systems tend to be lacking 2 factor authentication for system access, which means you can even get system administrator access this way.   The physicians are overworked and focused on spending time with patients, not spending time on IT and compliance.

Most of the revenue for Practice Fusion came from advertisements, even though it was a violation for Anti-Kickback Statute. They additionally marketed themselves to drug manufacturers as willing to customize clinical decision support alerts - Pharma Co. X paid $1M to add custom alerts to recommend extended release opioids.  They were able to prove that doctors that saw this alert prescribed at a higher rate than those who did not.

Death and Opioid abuse is not new, was impacting parts of our  America as far back as the late 1990s.

People died and became drug addicts because of a marketing department.

To help stem this type of abuse, there are proposed changes to the Department of Health and human services regulations.  Additionally, Mitchel would like to see diversion monitoring software and privacy monitoring. 

Additionally, recommending that doctors use the larger providers - those have already been set up to limit opioid prescriptions.

Going forward, EMRs should have 2-factor auth, limited access and configuration change reporting. 

We tell our doctors everything about our lives, so this information must be protected. When that trust is broken, it is tragic.

No comments:

Post a Comment