Your Software Vendor: A 'Backdoor' Into Your Surgery Center's IT Systems?

Frequently when we do a HIPAA Security audit for an ambulatory surgery center, we find active system administrator accounts have been set up for their practice management or EMR/EHR software vendor. The software vendor legitimately requires administrative access to set up the system initially, and may also need it to perform periodic system updates and software patches. However, they should not be allowed to maintain this level of access all the time.

System administrator access (also sometimes called "root access") typically allows the following:

1. The ability to add, delete or modify other users. This includes the ability to create other system administrator accounts, including "back-door" accounts.
2. The ability to modify any settings, including permissions and security levels for any and all other users.
3. The ability to edit, delete, copy and/or download any and all files — or even entire directories — anywhere within the system. This is not just limited to EPHI (electronic protected health information); it includes all the financial documents and corporate paperwork of the ASC.
4. The ability to install any software pretty much anywhere on the system — software that theoretically has no connection whatsoever to the PM/EMR/EHR systems.
5. The ability to literally "wipe out" the entire system, either accidentally or intentionally.

In a large corporate IT department, there is typically a clear division between the software and the system administration sides of the house. There are explicit procedures that govern the circumstances under which the software team can access the main IT system(s) and make changes. They are typically not allowed root system access, and if they are allowed such access, it is allowed only during specific maintenance windows. The access is granted temporarily, and then the door is closed again.

Software vendors typically request — and are frequently granted without question — root access to ASC's computer systems. This makes it so the software company's employees can log in at any time and make changes. That's convenient for them, but very risky for the ASC for several reasons:

1. Most software companies use the same — or similar — user names and passwords for all their clients and installations. That means that pretty much all employees, contractors and/or partners of the software company, not to mention ex-employees of those entities, probably can gain admin access to your system.
2. The software vendors typically access the system and do maintenance overnight, and frequently without any advance notification. Although there is no reason to suspect your software vendor would cause you intentional harm, human error and even regular software updates could lead to a nasty surprise on a morning when you have a lot of patients to see in your ASC and you discover that your system doesn't work properly — or at all — and it takes you a couple hours to address the effects of an overnight software update.

If your software vendor requires system access, set up a separate account for them, and turn access on or off only upon request. If require administrator-level access is requested, make sure you set up a separate account rather than providing your main system administrator account, and then monitor/control access using that account even more carefully. Make sure it does not have ongoing 24/7 access. Sections 164.308(a)(2) and 164.310(a)(1) of the HIPAA Security Rule require you, as the ASC (and not your software vendor) to manage, monitor and track all system access and changes, and to control who has access to what EPHI. If you allow your software vendor unlimited root access, there is no way you can be compliant with that part of the HIPAA Security Rule.

Does your software vendor have root access to your systems? You need to check. You also need to do an audit and maintain a list of all user accounts, and develop a procedure for tightly controlling any accounts with system administrator rights.

Marion K. Jenkins, PhD, FHIMSS, is founder and CEO of QSE Technologies, which provides IT consulting and implementation services for ASCs and other medical facilities nationwide. Learn more about QSE Technologies at www.qsetech.com.

Read more from Marion Jenkins:

- Zero-Day Exploits — Significant Threat to Your Surgery Center's Data

- WikiLeaks Episode Underscores Risk of Portable Media in Surgery Centers

- Voice Recognition Software: Is It NaturallySpeaking?