Is Your Clients’ PHI Vulnerable to Zero-Day, Heartbleed, or Other Attacks!?
by Leigh-Ann Renz, 5/19/14
Behavioral Health EHR Security
We’re often questioned (and sometimes criticized) because PIMSY is Cloud-based but not Browser-based. In light of the recent Heartbleed and other Zero Day vulnerabilities, it’s a good time to explain our reasoning for PIMSY mental health EHR’s architecture.
Zero Day vulnerabilities are simply previously undisclosed vulnerabilities. In a recent example of a zero day vulnerability, Microsoft has issued a security advisory that all Internet Explorer (IE) versions from 6 – 11, contain vulnerable code that may allow remote code execution, or RCE. Surfing to booby-trapped Web page or loading a maliciously crafted image file can trick IE into executing code from outside your network, which means that malware can be put on your computer even if you don’t take well-known risks such as opening suspicious attachments or files.
Search for “Microsoft acknowledges ‘in the wild’ Internet Explorer zero-day” for details and for steps to protect yourself and your client data.
Heartbleed is a recently discovered vulnerability in OpenSSL, a security tool used by the majority of websites employing the secure sockets layer (SSL) protocol for security. This vulnerability means that data might have been compromised across a large amount of online websites. Heartbleed has highlighted the security vulnerabilities in all types of Browser-based systems. Click here for more information.
What does this have to do with the security of your EHR or PMS?
Many EHRs (electronic health records), EMRs (electronic medical records), and/or PMS (practice management systems) are Browser-based, which means that they are vulnerable to attacks like Heartbleed or other Zero-Day vulnerabilities.
This means that your clients’ HIPAA-protected personal health information (PHI) could be at risk! It also means that company information, like employee social security numbers, financial reports, etc are also vulnerable. Not a situation you want to be worrying about.
PIMSY Mental Health Practice Management System is immune to any Browser-based vulnerability or attack!
When we built PIMSY behavioral health EMR, we had to choose which architecture to use: Browser-based or not? We chose not, for this very reason: we knew that our clients’ ePHI would be more vulnerable to Browser-based attacks than if we built it as a software client based solution.
While PIMSY is as exposed to Cloud-based attacks as every other Cloud-based system, not having to worry about browser and browser add-on attacks removes a significant layer of risk for our users. PIMSY’s architecture creates a “significantly smaller attack surface”.
> PIMSY is immune to any browser based attacks that Internet Explorer, Mozilla, Safari, Chrome, or Opera are susceptible to!
> This includes attacks from java-based scripting, flash, adobe, shockwave, activeX controls, etc.
> PIMSY mental health EHR uses the same encryption technology to protect your data in motion as most financial institutions.
> No data is stored on your devices. It’s encrypted both at rest and in transmission.
> Your credentials are never transmitted in the clear: they are always encrypted. Even the server doesn’t see the authentication data – the data flow is never exposed!
> PIMSY is not susceptible to the “man in the middle” type attacks, and because the ePHI is encrypted before being sent to he server,it isnot exposed to “sniffing-based attacks”.
> PIMSY is safe from vulnerabilities such as Heartbleed because it doesn’t use OpenSSL.
What does this mean for you?
Because PIMSY is not Browser-based, it gives us more control over security. In HIPAA language, we are our clients’ Business Associates and thus are responsible for the security of the application.
If your Browser-based EHR is affected by one of these attacks, it’s not the EMR’s fault! But who’s responsible? Are you going to be able to get someone from Microsoft on the phone to walk you through handling comprised client health data? Can you get a BA from Apple?
Unfortunately, those giant providers are an unaccountable third party. The for “Software-as-a-Service” browser based EMR applications, the browser itself is as much a part of the EMR code as the EMR itself. They are one. The browser contains the code, compiles the code and executes the code making it an essential piece of the EMR. So if the Browser is insecure, the EHR inside it is also at risk. Another advantage of non-Browser-based systems like PIMSY is the direct accountability in potentially compromising situations.
If you’re not yet using an EHR, you may want to consider the enhanced security offered by a non-Browswer-based solution. If you are, you should absolutely double check with your behavioral health Practice Management System and make sure that they have fixed the Heartbleed vulnerability and are on top of other virus-based and Zero-Day vulnerabilities (if they haven’t contacted you to address these already).
Leigh-Ann Renz is the Marketing & Business Development Director of PIMSY EHR and practice management for mental and behavioral health.