A new study published by the eHealth Vulnerability Reporting Program has found that health records are vulnerable due to poor security practices.

A 15-month study on the time to patch software for electronic health records was aimed to establish security best practices in the management of electronic health records.

The report indicates that vulnerabilities in medical equipment are not being addressed quickly by vendors, and this is making it impossible for hospitals and doctors to appropriately manage risk. This places patient health information at risk for being breached.

The amount of time between when a eHealth vendor is notified of a vulnerability and when that vulnerability is patched exceeded the time needed to patch in mainstream application software. For example, one medical application in the study remained unpatched after 2,211 days; another was 384 days and counting. By comparison, Brian Krebs of the The Washington Post found that the time to patch for Microsoft Internet Explorer was only 284 days.

The problem could be that eHealth application vulnerabilities are managed by many organizations. The Certification Commission for Healthcare Information Technology (CCHIT) and Healthcare Information Technology Standards Panel (HITSP) offer some general security standards, but no risk assessment is applied to reported threats.

The report recommends that eHealth vendors work more closely with security software vendors to establish better testing and reporting routines, better disclosure, vendor certification, and more public education.

Via CNet Tags: ehealth, patient information, medical records, data breach, hospital data, patient data security, data security