eHealth Vulnerability Reporting Program

The eHealth Vulnerability Reporting Program is a venture, founded in May 2006, "to establish approaches and procedures that will help ensure eHealth systems are broadly and rapidly deployed with the highest levels of privacy and security". They have published an executive briefing on some of their findings which include:

• EHR vulnerabilities can be exploited to gain control of application or access to data for modification or retrieval
• EHR applications have vulnerabilities consistent with other complex applications
• Application vulnerabilities have long lives
• EHR vulnerabilities are not disclosed to customers of these systems
• Commercial EHR systems are vulnerable to exploitation given existing industry development and disclosure practices
• Security software effectively reduced time of exposure
• No organization could be identified that has responsibility, charter or mission to address security vulnerabilities in eHealth applications

The report stresses that the "sky is not falling" but EHR vendors, healthcare providers and the healthcare industry need to do much more.

This is a space worth watching for future developments.

For an overview of the report read Nancy Ferris' article titled Hacking into e-health records is too easy, group says.