#BHUSA: Lack of Electronic Medical Record Security Amplified Opioid Crisis

#BHUSA: Lack of Electronic Medical Record Security Amplified Opioid Crisis

The opioid crisis in the US has had a devastating toll, impacting tens of thousands of families.

According to Mitchell Parker, CISO at Indiana University Health, a small part of the human suffering could have potentially been alleviated, if there was better control and security for Electronic Medical Record (EMR) systems. Parker presented his views during a session at the Black Hat USA 2020 virtual conference, where he outlined what has gone wrong with EMR systems and what can be done to make them more secure.

One of the drivers of the opioid crisis was the underhanded manipulation of an EMR system, that is intended to be used to assist physicians in prescribing medications. In January 2020, EMR vendor Practice Fusion was fined $145m by the US Department of Justice for receiving kickback cash payments from an opioid vendor to influence physician prescription activities. Practice Fusion provides a cloud-based EMR that is advertisement supported.

“People died and became addicted because of this manipulation and this subversive manipulation we’re talking about is a security issue,” Parker said.

How EMRs Work

Parker explained that an EMR is essentially a digital version of the paper charts found in a doctor’s office, including a patient’s medical treatment history. An EMR allows doctors to track data over time and the system can also be used to identify when preventive screenings and checkups are needed.

In the Practice Fusion case, opioid vendors were buying advertisements to influence ..