A report from DataBreaches.net and Protenus found the U.S. health care industry, on average, experienced one data breach per day in 2016. Such incidents compromised approximately 27.3 million patient records.
Unfortunately, these statistics aren’t surprising given how quickly care providers have implemented electronic health record systems to comply with the Affordable Care Act. EHR adoption rates rose 74.4 percent between 2008 and 2015 , according to the Office of the National Coordinator for Health Information Technology. Along the way, vulnerabilities likely fell through the cracks. To address those bugs, care providers and others need to institute strong patch management processes, especially given the value EHRs present to hackers.
“Sysadmins can’t patch software if developers don’t create patches in the first place.”
Security researchers, system administrators and other IT professionals are invaluable resources for software companies because they alert developers to bugs that may have slipped past QA during testing. Some vulnerabilities may not even be bugs – just functions that indirectly allow hackers to access sensitive data.
However, if no vulnerability reporting mechanisms are in place, it’s difficult for those using the software to inform developers of pressing issues. According to Joshua Mandel, health IT ecosystem lead at Verily, this is a common problem among EHR vendors.
In an article for SMART Health IT, Mandel wrote that he tried to inform HL7 of a vulnerability he found in a piece of code written by the international health standards organization. Many health IT product developers incorporated this code into their products. When he reached out to HL7, he struggled to find any developers who might have worked on the code.
Mandel then tried reaching out to the EHR vendors by:
Most health care organizations are actually well positioned to apply DevOps practices to their patch management policies. This is because many IT teams acquire developer-esque knowledge of the EHR systems they manage. Some hospitals even have developers specializing in particular EHR solutions, enabling those institutions to customize the technology.
For example, Healthcare IT News found 60 percent of hospital executives said they plan to launch internal EHR interoperability development projects. Another 55 percent said those development projects will focus on improving EHR workflow. This indicates quite a few hospitals have established developer resources.
But how could DevOps fit into patch management process? Here’s how it could work:
This system could actually address the vulnerability reporting deficiencies Mandel noted. Of course, the process has its challenges, one of them being that some vulnerabilities may exist in the source code. For some institutions, this may not be a problem if the EHR vendors grant license holders access to the code. At the same time, this may require a level of expertise in-house developers may not possess, which obligates care providers to fund developer training.
In addition, there’s no guarantee vendors will take an open source-esque approach to EHR development. After all, these are proprietary systems we’re talking about.
One encouraging factor is that EHR vendors have the incentive to improve their security vulnerability reporting programs. As attacks against care providers increase, companies will face pressure to institute more robust communication with end-users.
Paramount Software Solutions - Copyright 2025. All rights reserved.
Developed by 
