EMR Security Problem

On EMR Update a user posted an interesting security problem with their EMR software:

I was on our user’s forum reading about a security flaw in our EMR. There were some discussions about the ability to circumnavigate prescription privileges and have your staff write themselves narcotics. We couldn’t figure out if anyone had done anything like this in our office, so I had our IT guy spend some time in the system. He was able to determine that one of our staff members had in fact been printing out an old script that had been written in the past and manually faxing it to pharmacies around town. The problem with the software is that it lets you print out a script from a locked note, and it prints out with the present date so it can be filled!

Has anyone else had staff in their EMR get away with writing bogus prescriptions? If you don’t know, you may want to check your system. Obviously this is an intolerable situation. We are hoping our vendor will take this seriously for once and get it fixed quickly. Otherwise, we will be forced to look elsewhere for a replacement EMR that doesn’t have this issue.

I love this story, because it highlights a number of interesting things.

1. The challenge of creating a secure, usable, and effective EMR. It’s NOT easy.

2. How responsive will your EMR vendor be to end user requests?

3. What would it take for you to switch EMR software? Can you imagine?

About the author

John Lynn

John Lynn

John Lynn is the Founder of the HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • We had this problem early on. We fixed it by by providing a “reprint script” (and refax, resubmit, etc) security level for every user in the EMR. All reprinted scripts end up on a report along with the user.

  • Hi John,

    Great post. I wonder why this problem even exists in EMRs? Why is a non physician even ABLE to access prescriptions modules in the system? Perhaps the above mentioned system doesn’t have permissions based security standards? In WebDMEMR, the center / office administrators assigns appropriate permissions for each system user. Permissions include: Deny, Read Only, Contributor and Full Access. These can be customized for each module / section of the EMR. In which case, non physician users wouldn’t even be able to access the prescription orders at the choosing of the administrator. Another issue, is that the current date appears on the order when it is printed, this is unacceptable, the date should be established within the prescription order, once it is closed or “locked” it should, in no way, be altered.

  • A friend of mine, a nursing student, took a picture of a classmate performing CPR during a code. Was careful not to get the patient in it or anyone else. Showed it to the friend, then deleted it. Does this violate HIPAA?

  • Monica,
    You’ll have to consult a lawyer for legal advice. I’m not a lawyer so anything I can say is NOT legal advice. Plus, every state has its own rules too.

    I don’t see how you could take a picture of someone doing CPR and not have the patient in the picture. Seems like you’d have at least the chest. My understanding is that any picture taken of a patient needs consent.

  • John:

    This is one example that shows how a new technology can cause new problems. More importantly, it illustrates the crude state of current EMR technology.

    I’ve been thinking of writing something about information security and EMRs because no one really seems to focus on that. But I guess this would be a good starting point.

    Let’s evaluate the situation described by the original post. That vendor probably provided the “reprint” function to expedite the prescription refill process. Not necessary a bad thing in itself. But someone with a bad intent was able to take advantage of it.

    There is another problem here too: shouldn’t a faxed document require some form of signature by the provider to illustrate authorization? It should. The obvious way to do it is manual. But there are “digital signatures” and certificates available for this very purpose. These are already used by software in other verticals but I have never seen them in any EMR. Only goes to show how immature the current EMR technology is and how most vendors are not seriously thinking about flaws in software.

    As far as Lourdes comment is concerned, I have a couple of observations. One, you do need to provide non physicians with access to prescription records. Otherwise, your practitioner would be busy receiving refill requests over the phone. Two, as far as rights in your software are concerned, these can be easily by-passed 99% of the time. What if the Administrator decided to write himself a prescription of some narcotic? How would you prevent that. Sure, your audit report will show the incident but that’s like after the fact. Administrator can probably also create a user account with same privileges as a doctor, or hack the doctor’s credentials, create a fake patient account and happily write away prescriptions of marijuana for himself.

    Same thing for Nate: security levels can be bypassed.

    I guess it is a good thing that hackers haven’t started targeting web-facing EMR software. If they did, I’m sure they will get huge benefits out of it because most EMR vendors are the least concerned with information security and offer only the very basic protection like rights management.

    I’m sure if someone hacks the database of a center that tests or treats HIV patients, they will be able to at least blackmail the center or even the vendor. What would your rights management do to an external attacker that gains Administrator level access with a SQL injection or some other technique?!

  • Jawad,
    We actually use the digital signatures that you talk about in our EMR. Although, we use it to capture the patients signature. It works really well.

Click here to post a comment