- a real-world case where a vendor was affected by these issues
- a set of security best practices that can help avoid these and other issues
- the unfortunate state of EHR vendor security vulnerability reporting protocols
Sunday, April 06, 2014
It Appears There Are Some Significant Security Issues With The PCEHR. I Wonder When There Will Be An Official Comment?
The following appeared in the last day or so.
TL;DR: If you’re using XSLT stylesheets to render C-CDAs in your EHR, make sure you understand the security implications. Otherwise you could be vulnerable to a data breach.
This blog post describes security issues that have affected well-known 2014 Certified EHRs. Please note that I’ve already shared this information privately with the Web-based EHR vendors I could identify, and I’ve waited until they were able to investigate the issues and (if needed) repair their systems.
Last month I observed a set of security vulnerabilities in XSLT “stylesheets” used to display externally-supplied C-CDA documents in many EHRs. To be specific: the CDA.xsl stylesheet provided by HL7 (which has been adopted by many EHR vendors) can leave EHRs vulnerable to attacks by maliciously-composed documents.
I plan to follow up with posts describing:
Many vendors appear to be using (slightly tweaked versions of) the CDA.xsl that comes with HL7′s C-CDA release. This provides potential attackers with a highly visible, leveragable target.
All the technical details of the three issues can be found here:
I was alerted to this blog post by a technical guru who said there were significant issues to be addressed both by the PCEHR Program and NEHTA as well as some of the GP system providers who used CDA Stylesheets.
I am sure there is significant effort being put into working out what exactly to do right now.
This is clearly an evolving story and I suggest people keep an eye open for information from Government and NEHTA and the mainstream press.
I also look forward to more posts from the US blogger explaining what he is recommending as appropriate fixes etc.
Posted by Dr David G More MB PhD at Sunday, April 06, 2014