Forensic Analysis Reveals Data Leaks in HIPAA Compliant Software

KIVU Case Study October 2015

Adam C. Solander, a Member of the Firm in the Health Care and Life Sciences practice, in the firm’s Washington, DC, office, co-authored a case study, performed in conjunction with Kivu Consulting, titled “Forensic Analysis Reveals Data Leaks in HIPAA Compliant Software.”

Following is an excerpt:

Security requirements for all EMR-related patient files should be the same, whether stored within the EMR application, or in an external location. The actual security controls however may be different. For example, access to files with patient lab results that reside on a Windows server outside the EMR application may be restricted through server-level access controls and BitLocker encryption. The EMR application may interact with these files when a medical professional is reviewing lab results, but the EMR software does not control file storage. In this scenario, file-level security may become the responsibility of IT/InfoSec staff and a point of potential security breakdown. Unless IT staff understand the respective security requirements for both the EMR application and its related externally stored files, it is highly probable that the externally stored files containing PII/PHI could be stored with minimal or no security.