Korey Mendes
New Member
- Reaction score
- 0
- Location
- Massachusetts
Hello,
My company recently took on a Physical Therapy client that uses one of the major hosted EMR providers (pretty big name in the field) that's focused in Physical Therapy to managed their medical records and billing.
The gateway to the hosted EMR is being conducted by Citrix Receiver. During a security audit of the client's systems, we found out a few concerning things about the hosted EMR's architecture. It seems that any user of the EMR platform can access a number of areas in the system that would normally be off limits to the average user, which I'm guessing isn't limited to just my client but rather every company that uses this hosted EMR provider.
Here's a list of areas that I can reach while logged into the EMR system as my client's receptionist user:
- Hosted Windows Server 2003 server being used as one of the many environment controllers, which went End of Life in July 2015
- Hosted Windows Server 2003 configuration settings
- Hosted Windows Server 2003 firewall is turned off
- Hosted Windows Server 2003 file system, including Windows folder with read/write access
- Hosted Windows Server 2003 add/remove programs
- Hosted Windows Server 2003 printer list (showing printers from other clients of the hosted EMR provider)
- Hosted Windows Server 2003 security updates have not been installed since July 2015
- Command prompt is able to run numerous commands to reveal open ports, nearby systems, ISP information, and hosted EMR's domain controller information
- Hosted EMR's office domain directory
- Hosted EMR's test workgroup directory
- Hosted EMR's client-facing hosted server farm directory
- Brocade gateway login screen
- Able to remote desktop to the Hosted EMR's domain controller login screen
When I brought this up to the hosted EMR provider, here is what they sent me as a response:
"Windows Server 2003 does not handle anything in regards to security of Systems4PT. Server 2003 runs simply as a controller for the program. The information stored in the clinic database is saved in a secure HIPAA compliant environment. The security and firewalls that protect the clinics data are setup and ran outside of the Server 2003 environment."
The EMR provider gave no indication that they would be pursuing any steps to reconcile the issues that I brought up to them. My client has a signed Business Associate Agreement with the EMR provider that clearly states the EMR provider's systems are within HIPAA compliance, but here are my questions on the matter:
1) Even though the EoL Win2003 servers aren't hosting any medical records, do any of these facts fall under HIPAA compliance issues? 1) They exist on the EMR provider's network as internet facing servers. 2) They can interact with the provider's office domain. 3) They have not been updated since July 2015. 4) Customers of the EMR provider can see information about one another, such as each other's printers
2) Even if the EoL Win2003 servers do not host any medical records, does it fall under HIPAA compliance issues when any customer who uses the EMR platform can easily access parts of the network that they're not supposed to?
Just looking for some insight here if the EMR provider's response was adequate for this scenario, or if I should be pushing the subject further with them on the client's behalf.
Thanks in advance for any help on this!
My company recently took on a Physical Therapy client that uses one of the major hosted EMR providers (pretty big name in the field) that's focused in Physical Therapy to managed their medical records and billing.
The gateway to the hosted EMR is being conducted by Citrix Receiver. During a security audit of the client's systems, we found out a few concerning things about the hosted EMR's architecture. It seems that any user of the EMR platform can access a number of areas in the system that would normally be off limits to the average user, which I'm guessing isn't limited to just my client but rather every company that uses this hosted EMR provider.
Here's a list of areas that I can reach while logged into the EMR system as my client's receptionist user:
- Hosted Windows Server 2003 server being used as one of the many environment controllers, which went End of Life in July 2015
- Hosted Windows Server 2003 configuration settings
- Hosted Windows Server 2003 firewall is turned off
- Hosted Windows Server 2003 file system, including Windows folder with read/write access
- Hosted Windows Server 2003 add/remove programs
- Hosted Windows Server 2003 printer list (showing printers from other clients of the hosted EMR provider)
- Hosted Windows Server 2003 security updates have not been installed since July 2015
- Command prompt is able to run numerous commands to reveal open ports, nearby systems, ISP information, and hosted EMR's domain controller information
- Hosted EMR's office domain directory
- Hosted EMR's test workgroup directory
- Hosted EMR's client-facing hosted server farm directory
- Brocade gateway login screen
- Able to remote desktop to the Hosted EMR's domain controller login screen
When I brought this up to the hosted EMR provider, here is what they sent me as a response:
"Windows Server 2003 does not handle anything in regards to security of Systems4PT. Server 2003 runs simply as a controller for the program. The information stored in the clinic database is saved in a secure HIPAA compliant environment. The security and firewalls that protect the clinics data are setup and ran outside of the Server 2003 environment."
The EMR provider gave no indication that they would be pursuing any steps to reconcile the issues that I brought up to them. My client has a signed Business Associate Agreement with the EMR provider that clearly states the EMR provider's systems are within HIPAA compliance, but here are my questions on the matter:
1) Even though the EoL Win2003 servers aren't hosting any medical records, do any of these facts fall under HIPAA compliance issues? 1) They exist on the EMR provider's network as internet facing servers. 2) They can interact with the provider's office domain. 3) They have not been updated since July 2015. 4) Customers of the EMR provider can see information about one another, such as each other's printers
2) Even if the EoL Win2003 servers do not host any medical records, does it fall under HIPAA compliance issues when any customer who uses the EMR platform can easily access parts of the network that they're not supposed to?
Just looking for some insight here if the EMR provider's response was adequate for this scenario, or if I should be pushing the subject further with them on the client's behalf.
Thanks in advance for any help on this!
