The Dark Side of the Cloud - How a Lack of EMR Security Controls Helped Amplify the Opioid Crisis

Thursday, August 6, 2020 8:30 PM to 9:10 PM


The Opioid crisis has caused mass addiction of prescription painkillers. Tens of thousands have died from this. Families have been broken apart. Children have been born addicted. It has stretched the social support network we have to its breaking point.

A major reason for this was the manipulation of a popular Electronic Health Records (EHR) system, Practice Fusion, on behalf of a pharmaceutical company. The US Department of Justice singled out the marketing department of an Opioid manufacturer for paying approximately $1M to change a decision support tool used by physicians, a Clinical Decision Support alert, to recommend their opioid products as part of treatment plans. This led to the unnecessary prescription of opioids to tens of thousands of patients and helped fuel a major crisis.

The Electronic Health Record system utilized is targeted at smaller physician practices that do not have the resources of larger health systems to examine Clinical Decision Support alerts. In this case, Practice Fusion was utilized by over 100,000 small to medium-sized medical practices.

Most medical practices, according to the American Medical Association, have 10 or fewer physicians. Approximately one third of hospitals, according to the American Hospital Association, have negative operating budgets and lose money. These are organizations that care about keeping the lights on.

However, the HITECH Act and associated incentive programs have encouraged medical providers to get on board with Electronic Medical Records.

This presentation will show evidence of how the Opioid Crisis exposed an operational security weakness with EHR systems, and why just patching those alerts doesn't address it. We will also discuss how to address it as part of a larger operational framework in partnership with larger health systems. With the current lack of support for smaller practices, we expect this attack type to continually occur unless resolved.

Primary Track
Secondary Track
Applied Security