D.C. hospital finds major e-prescribing security hole

It apparently took an intrepid reporter at Wired to alert Georgetown Hospital to its own EHR security problem. Georgetown University Hospital suspended a trial program with an electronic prescription-writing firm recently after a computer consultant stumbled upon an online cache of data belonging to thousands of patients. The leaked information included patients' names, addresses, Social Security numbers and dates of birth, though not medical data or the drugs the patients were prescribed, says a hospital spokeswoman. The hospital had securely transmitted the patient data to e-prescription provider InstantDx. But an Indiana-based consultant accidentally discovered the data on InstantDx's computers while working to install medical software for a client. The consultant responsible for the discovery, Goshen, IN-based Randall Perry, says bad security practices contributed heavily to the incident. Perry says he accessed the data using a password he discovered hard-coded into a popular medical practice application, where any moderately skilled user could retrieve it. "This is just security through obscurity," says Perry. "My home network is probably 10 times more secure than what they have set up over there." Called Medisoft, the application is an all-in-one medical office suite marketed to small practices, and capable of handling everything from patient appointments to sending out bills. According to the product website, Medisoft is used by 70,000 health care practitioners worldwide.

For more on the trouble at Georgetown:
- see the Wired article