EHR Vendors’ Disclosures Are Latest Security Risk Reminders

Breach Notification
Critical Infrastructure Security

QRS Inc. Reports Patient Portal Hack; Philips Reveals TASY EMR Security Flaws

EHR Vendors' Disclosures Are Latest Security Risk Reminders

A recent large hacking incident and a separate vulnerability disclosure involving two different vendors’ products related to electronic health records serve as the latest reminders of the potential risks these systems can pose to patients’ protected health information.

See Also: Finding New Ways to Disrupt Ransomware Operations

Tennessee-based QRS Inc., vendor of the Paradigm practice management and electronic health records systems, on Oct. 22 reported to the Department of Health and Human Services a hacking IT incident involving a patient portal server affecting nearly 320,000 individuals’ PHI.

Meanwhile, in a separate development, medical technology vendor Philips Healthcare and the Cybersecurity and Infrastructure Security Agency on Thursday each issued security advisories concerning two SQL vulnerabilities identified in the Philips TASY Electronic Medical Record HTML5 system, versions 3.06.1803 and prior.

The Philips EMR vulnerabilities, if exploited, pose risks to patient data confidentiality, the advisories say.

The two situations “are another reminder of how vulnerable the entire healthcare system is from the standpoint of cybersecurity,” says George Jackson, a senior principal consultant at privacy and security consultancy Clearwater.

“One is an example of a serious vulnerability requiring a…