Pediatric EMR Vendor Hack Affects 2.2 MillionIncident Spotlights Multiple Common But Serious Data and Vendor Concerns
A hacking incident at a cloud-based electronic health records and practice management software vendor affects dozens of the company's pediatric practice clients and more than 2.2 million of their patients and other individuals.
Pennsylvania-based Connexin Software Inc., which does business as Office Practicum, reported the hack to the U.S. Department of Health and Human Services on Nov. 11 and said it involved a network server.
Connexin in its breach notification statement lists about 120 pediatric practices affected by the incident.
In the statement, Connexin says that on Aug. 26, it detected "a data anomaly" on its internal network. A forensics investigation determined that an unauthorized third party had gained access to an internal computer network, removing some data contained in an "offline" patient data set used for data conversion and troubleshooting.
Connexin's "live" electronic medical record system was not accessed, and the incident also did not affect any pediatric practice groups’ systems, databases or medical records systems, the statement says.
In any case, the range of patient data potentially compromised in the incident is wide. Connexin says patient information affected may have included name, guarantor name, parent/guardian name, address, email address, date of birth, Social Security numbers, health insurance information and medical and/or treatment information - including procedures, diagnosis, prescription information and physician names.
Financial information - such as billing claims, invoices and patient account identifiers used by providers - was also contained in the affected data set.
Pediatric Data Risks
Data security and privacy risks involving pediatric patients can be especially worrisome for a variety of reasons.
"There is an elevated sense of risk any time you are dealing with pediatric data or systems," says Brian Selfridge, healthcare cybersecurity and risk leader at security firm CORL Technologies.
Unauthorized access to the Social Security numbers, demographics, billing and treatment information for children can lead to identity theft, medical identity theft and other types of fraud.
Complicating matters, pediatric data typically has longer data retention requirements, says Wendell Bobst, senior security consultant at privacy and security consultancy tw-Security. "This means that pediatric providers tend to keep data longer than adult patients," he says.
"In the case of children, you are looking at decades of potential for that information to be abused in ways that may adversely impact patients," Selfridge says.
Connexin did not immediately respond to Information Security Media Group's request for additional details about the incident.
The company's description of the compromised data set being "offline" indicates a few potential scenarios.
Connexin provides its Office Practicum as a cloud-based solution. The company's reference to "an offline set of patient data" implies that their application, as managed in their AWS instance, was not hacked, but rather the "unauthorized party" accessed a copy that was stored in an on-premises server, Bobst says.
"Connexin may periodically receive new client data from other EMRs and convert that data to their platform," he says. The live data may be used to complete or test the conversion process. Connexin may also test its version upgrades with live data in a test environment to project the duration of the upgrade and ensure client data upgrades occur successfully.
Often, organizations will use production data for testing and troubleshooting - during development or when responding to customer issues, says Jon Moore, chief risk officer at privacy and security consulting firm Clearwater.
They may also deal with large data sets when migrating a customer onto or off of their platform, he says.
"Unfortunately, it is not that uncommon to see that organizations do not have the same security controls around their development, testing and migration environments as they do in production," he says.
"This is particularly risky if using real personal information in a development or testing environment as opposed to dummy information or otherwise de-identified information."
Another potential interpretation of Connexin saying the data set was "offline" is that the server in question was not running, Moore says.
"This would imply that the attacker either gained physical access to the server or sufficient access to a management console to allow them to start and access the server."
Any offline copies of data should be encrypted, retained in a location monitored for access, and require authorization to "check out" the data from the archive, Bobst says.
"Tagging 'PHI - Customer X' provides a visual cue to support personnel and conversion analysts," he suggests. Also, data loss prevention technologies, which help detect PHI that is accessed or leaving the organization, are a critical control for PHI outside of an application, Bobst says.