The Dark Side of the Cloud - How a Lack of EMR Security Controls Helped Amplify the Opioid Crisis

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 1:30 p.m. (40 minutes).

<p>The Opioid crisis has caused mass addiction of prescription painkillers. Tens of thousands have died from this. Families have been broken apart. Children have been born addicted. It has stretched the social support network we have to its breaking point.</p><p>A major reason for this was the manipulation of a popular Electronic Health Records (EHR) system, Practice Fusion, on behalf of a pharmaceutical company. The US Department of Justice singled out the marketing department of an Opioid manufacturer for paying approximately $1M to change a decision support tool used by physicians, a Clinical Decision Support alert, to recommend their opioid products as part of treatment plans. This led to the unnecessary prescription of opioids to tens of thousands of patients and helped fuel a major crisis.</p><p>The Electronic Health Record system utilized is targeted at smaller physician practices that do not have the resources of larger health systems to examine Clinical Decision Support alerts. In this case, Practice Fusion was utilized by over 100,000 small to medium-sized medical practices.</p><p>Most medical practices, according to the American Medical Association, have 10 or fewer physicians. Approximately one third of hospitals, according to the American Hospital Association, have negative operating budgets and lose money. These are organizations that care about keeping the lights on.</p><p>However, the HITECH Act and associated incentive programs have encouraged medical providers to get on board with Electronic Medical Records.</p><p>This presentation will show evidence of how the Opioid Crisis exposed an operational security weakness with EHR systems, and why just patching those alerts doesn't address it. We will also discuss how to address it as part of a larger operational framework in partnership with larger health systems. With the current lack of support for smaller practices, we expect this attack type to continually occur unless resolved.</p>

Presenters:

  • Mitchell Parker - CISO, Indiana University Health
    Mitchell Parker, MBA, CISSP, is the CISO, at IU Health. Mitch has eleven years' experience in this role, having established effective organization-wide programs at multiple organizations. He is responsible for providing policy and governance oversight and research, third-party vendor guidance, proactive vulnerability research and threat modeling services, payment card and financial systems security, and security research to IU Health and IU School of Medicine. In this role, Mitch collaborates across the organization and with multiple third parties to improve the people, processes, and technologies used to facilitate security and privacy for the benefit of IU Health's patients and team members. Mitch also actively researches and publishes in the academic community. He is an adjunct lecturer in Health Informatics at Indiana University – Purdue University Indianapolis, and also guest lectures at multiple universities, including IUPUI, Purdue, and IU Kelley School of Business. He has also published peer-reviewed papers with collaborators across the world. Previous to his move to Indiana, Mitch was an Adjunct Professor in the Information Technology and Cyber Security (ITACS) program at the Fox School of Business at Temple University, where he taught MIS5903, the Cyber Security capstone course. He also publishes in multiple publications, including CSO Magazine, Healthcare IT News, HealthsystemCIO.com, Security Current, Healthcare Scene, and HIMSS' blog. He also has contributed a chapter for an upcoming Cybersecurity in Healthcare textbook, an essay to Voices of Innovation, which was published in March 2019 by HIMSS, and has a chapter in an upcoming book on Healthcare Cybersecurity for the American Bar Association's Health Law section. Mitch has also been quoted in numerous publications, including the Wall Street Journal, ISMG, HealthITSecurity, and Becker's Hospital Review. Mitch also is a prolific presenter, having presented at NIST, IEEE TechIgnite, the national HIMSS conference multiple times, the HIMSS Security Forum, multiple ISMG Healthcare conferences, multiple regional HIMSS conferences, Becker's IT+Revenue Cycle conference, and numerous other regional and national conferences.

Links:

Similar Presentations: