Visiting a conference about the Electronic Patient Dossier (EPD) or EHR (Electronic Health Record) gives a good overview of what’s going on in this field where hardware, software, people and processes come together. A lot of vendors are present and a lot of good discussions take place at this conference. It was also quit a modern conference with a kind of a twitter stream via #L2D.

However a lot of security aspects are covered I get a strange feeling during the conference. The question that came up in my mind is: how is the weakest link, the people covered in the security approach we follow at this moment. In this post I’ll explain some weaknesses of the EHR. What can we do as testers to make this weakness visible?

Security aspects of the EPD
The Dutch Electronic Patient Dossier (Electronic Health Record) is intended as a national infrastructure for exchanging medical patient records among authorized parties. The EHR is partially centralized but almost all data is stored locally is the xIS (x Information System) of hospitals and pharmacies. In some countries around us this takes already place.

As you can imagine are there a lot of parties involved in this type of projects. Not only the government but also a lot of software vendors, consultants, and hardware suppliers. The EHR has to address a number of requirements, ranging from scalability and performance to security and privacy etc. With so many parties it’s not easy to have all the responsibilities in place.

During the conference I get a feeling that a lot of security aspects are addressed to the different parties. Using them in practice is the next step, but we’ll see this in the next coming months to years.

The government for example makes the laws and legislations for this, a ministry is involved. One of the  qualifications is the GBZ (Goed Beheerd Zorgsysteem) translated from Dutch stands for well-managed care system. Also are some ISO certificates involved for the hospitals. Information security is addressed to the government.

The infrastructure security is mostly addressed to the parties that maintain the networks, they must deliver the right exchange, manage the connections and deliver a high uptime.

Building save applications is a task of the software vendors. The Secure Development Lifecycle, assessments and penetration tests must be in place there.

People weaknesses above these aspects
What I missed at the conference is the people aspect in this situation. Because if the information security, infrastructure security and the application security are in place but the people are not aware of security of misuse the information, they are in that case the weakest link. People are standing above these three pillars and have influence on all of them.

Here are some possible threats:

1. People use the UZI pass of each other (UZI pass is personal authentication card to get access to the systems). If people use the cards of each other together with the secret password of somebody else, all information is available for the person that isn’t authorized to see the data. (Remark: this is only the data the owner has access to)
2. 2. People don’t lock the PC. If people are working behind their desk with patient dossiers, they walk away without locking their PC everybody will have access to the open dossiers at the PC.
3. 3. Username and password under the keyboard. How often does this happen? Post-its under the keyboard with the username and password written on it? Keyboards, agenda’s and sometimes the monitor are the places to search for usernames and passwords.
4. 4. Use an MP3 CD to avoid the Windows lock. A friend of mine works in a hospital in the Netherlands. To avoid the Windows lock of the PC they put a MP3 CD, in the drive and play the whole day music with the sound of. The effect of this is that the PC doesn’t lock. PC’s unattended of medical personnel can be used by everyone. The local dossiers are all available. What if you just saw a celebrity walking in the corridor? Just open her dossiers to see what’s wrong?
5. 5. Printed dossiers at the desk of the employees, or what my neighbor told me a bunch of dossiers on the lap of patient in wheelchairs that is moved from A to B. Open and visible for everyone, We can do our best but they pass all security, firewalls and an authentication cards.
6. 6. Duplicate authentication passes, according to the formal process is this not possible, but my sources told me there are a lot of them in hospitals for example.

The role of testers in these weaknesses
As you can imagine it’s hard to test these vulnerabilities. Information security can be assessed with for example a security audit at the processes. The infrastructure can be tested with a penetration test and the application with an application security assessment. But the people aspect, the weakest link with those vulnerabilities cannot be tested in one of these types of tests.

Secondly all these issues occur after go live, how often are you still involved at that moment? Most of the testers act in earlier phases.

However, with the awareness in mind, with knowledge from earlier projects you can address some of these things during reviews of designs, processes or during the test phase.

The role of organizations and the government
Organizations, like hospitals and pharmacies, who use this type of software, have in my opinion the responsibility to make people aware of these vulnerabilities. Once I saw a campaign to make people aware of the value of passwords. A big picture of a piece of underwear with the text: “A password is like underwear, you don’t share them”.

The safety of the systems can be pushed from this side. Logging all the request and taking some samples of this data base to check of only people that are involved in a certain process can check this. This way can make it a little bit “Celebrity checking proof”.

The government has in my humble opinion besides a monitor function also the responsibility to make all parties that are involved aware of this aspect. Via standards like ISO and HL7, IHE can they motivate companies.

Because as long as human beings are involved in the process and they use of software they will always be the weakest link of the security spectrum. You can test what you want, 100% secure doesn’t exist.

Please let me know, what is your opinion about this topic? How can we make big projects like the electronic health record secure, if we talk about the people aspect?

1. Tweets that mention People, the weakness of the EPD (EHR)! :: Software Testing and more -- Topsy.com Says:
   June 7th, 2010 at 08:54

   [...] This post was mentioned on Twitter by Andreas Prins, Andreas Prins. Andreas Prins said: New blog post: Are people the weakness of the EHR? http://tinyurl.com/3yg2w59 What's your opinion #EPD #EHR #L2D [...]

2. ICMCC News Page » People, the weakness of the EPD (EHR)! Says:
   June 7th, 2010 at 09:41

   [...] Article Andréas Prins, Software Testing and more, 7 June 2010 SHARETHIS.addEntry({ title: "People, the weakness of the EPD (EHR)!", url: "http://articles.icmcc.org/2010/06/07/people-the-weakness-of-the-epd-ehr/" }); [...]

3. J van Duivenboden Says:
   June 7th, 2010 at 10:11

   Interesting post. I’m not an expert on testing, but you make a good point regarding the human factor. It may take a lot of time before security awareness in e.g. hospitals is at the desired level. Especially in healthcare, there is a delicate balance between user-friendliness and security measures, as your examples clearly demonstrate. One could argue that with this in mind, roll-out of nation wide EHR is a lost cause. But introducing this infrastructure also provides a chance to improve security awareness. The first users of the system have shown this. On the other hand, something might always go wrong. A user may (by intent) look into data that was for someone else’s eyes only. The infrastructure with its logging, authentication and authorisation components has to deal with this and has to provide additional checks further in the process. Independent monitoring of these logs is required. It will take a lot of time before this is all in place, but introduction of the EHR (as well as other developments) might speed things up a bit.

4. Andreas Prins Says:
   June 11th, 2010 at 07:14

   @Duivenboden, hopefully will the introduction of this type of complex software make people aware. I Started a discussion at linkedIN in Dutch about how we can create more awareness, some nice responses over at that place at the world wide web.
   Do you have experiences in the hospitals for example with security?

   http://www.linkedin.com/groupAnswers?viewQuestionAndAnswers=&gid=1806647&discussionID=21979913&goback=.anh_1806647

5. ICMCC Website » ICMCC Event 2010 Says:
   June 14th, 2010 at 12:03

   [...] those are not linked to the EHR at primary care level. But recently it became known that there are serious security issues in hospitals: People use each other’s identification card (UZI pass) People don’t lock PCs Username and [...]

6. ehr software guy Says:
   July 7th, 2010 at 23:59

   jvan makes a good point. The fact that our records are not yet secure really makes you wonder who is looking at your personal records and files. Are there people out there accessing this stuff from remote locations? Hope not.