The Dark Side of the Cloud - How a Lack of EMR Security Controls Helped Amplify the Opioid Crisis

Conference:  BlackHat USA 2020



The presentation discusses the need for cybersecurity measures in electronic medical record (EMR) systems, particularly for smaller healthcare providers. It proposes four methods to address the issue.
  • Excessive access to EMR systems can lead to unauthorized changes in clinical content, highlighting the need for clear access control and configuration change reports.
  • Smaller healthcare providers are more susceptible to cyber attacks due to a lack of resources, and partnerships with larger providers can help address this issue.
  • Proposed amendments to the StarkX safe harbors would allow for donations of cybersecurity and privacy monitoring services, as well as liability protection for donors.
  • Larger providers can leverage partnerships with larger health systems or service organizations to use their EMRs and expertise in cybersecurity and clinical decision support services.
The presentation cites a case in Florida where a woman was sentenced to prison for committing identity theft using patient information she obtained from smaller healthcare practices. The practices were unaware of her actions, and the issue was only discovered through a confidential informant.


The Opioid crisis has caused mass addiction of prescription painkillers. Tens of thousands have died from this. Families have been broken apart. Children have been born addicted. It has stretched the social support network we have to its breaking point.A major reason for this was the manipulation of a popular Electronic Health Records (EHR) system, Practice Fusion, on behalf of a pharmaceutical company. The US Department of Justice singled out the marketing department of an Opioid manufacturer for paying approximately $1M to change a decision support tool used by physicians, a Clinical Decision Support alert, to recommend their opioid products as part of treatment plans. This led to the unnecessary prescription of opioids to tens of thousands of patients and helped fuel a major crisis.The Electronic Health Record system utilized is targeted at smaller physician practices that do not have the resources of larger health systems to examine Clinical Decision Support alerts. In this case, Practice Fusion was utilized by over 100,000 small to medium-sized medical practices.Most medical practices, according to the American Medical Association, have 10 or fewer physicians. Approximately one third of hospitals, according to the American Hospital Association, have negative operating budgets and lose money. These are organizations that care about keeping the lights on.However, the HITECH Act and associated incentive programs have encouraged medical providers to get on board with Electronic Medical Records.This presentation will show evidence of how the Opioid Crisis exposed an operational security weakness with EHR systems, and why just patching those alerts doesn't address it. We will also discuss how to address it as part of a larger operational framework in partnership with larger health systems. With the current lack of support for smaller practices, we expect this attack type to continually occur unless resolved.



Post a comment