Modifying Without a Trace: General Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms

Posted on Updated on

J. King, B. Smith, L. Williams, “Modifying Without a Trace: General Audit Guidelines are Inadequate for Electronic Health Record Audit Mechanisms”, Proceedings of the International Health Informatics Symposium (IHI 2012), to appear, 2012.


Without adequate audit mechanisms, electronic health record (EHR) systems remain vulnerable to undetected misuse. Users could modify or delete protected health information without these actions being traceable. The objective of this paper is to assess electronic health record audit mechanisms to determine the current degree of auditing for non-repudiation and to assess whether general audit guidelines adequately address non-repudiation. We derived 16 general auditable event types that affect non-repudiation based upon four publications. We qualitatively assess three open-source EHR systems to determine if the systems log these 16 event types. We find that the systems log an average of 12.5% of these event types. We also generated 58 black-box test cases based on specific auditable events derived from Certification Commission for Health Information Technology criteria. We find that only 4.02% of these tests pass. Additionally, 20% of tests fail in all three EHR systems. As a result, actions including the modification of patient demographics and assignment of user privileges can be executed without a trace of the user performing the action. The ambiguous nature of general auditable events may explain the inadequacy of auditing for non-repudiation. EHR system developers should focus on specific auditable events for managing protected health information instead of general events derived from guidelines.

Towards Improved Security Criteria for Certification of Electronic Health Record Systems

Posted on Updated on

A. Austin, B. Smith, and L. Williams, “Towards Improved Security Criteria for Certification of Electronic Health Record Systems“. Proceedings of the Second Workshop on Software Engineering in Healthcare (SEHC), Cape Town, South Africa, 2010.

The Certification Commission for Health Information Technology (CCHIT) is an electronic health record certification organization in the United States. In 2009, CCHIT’s comprehensive criteria were augmented with security criteria that define additional functional security requirements. The goal of this research is to illustrate the importance of requiring misuse cases in certification standards, such as CCHIT, by demonstrating the implementation bugs in an open source healthcare IT application. We performed an initial evaluation of an open source electronic health record system, OpenEMR, using an automated static analysis tool and a penetration-testing tool. We were able to discover implementation bugs latent in the application, ranging from cross-site scripting to insecure cryptographic algorithms. Our findings stress the importance that certification security criteria should focus on implementation bugs as well as design flaws. Based upon our findings, we recommend that CCHIT be augmented with a set of misuse cases that check for specific threats against EMR systems and thereby improve one aspect of the certification process.