Steve G Langer

DOI: https://doi.org/10.1007/s10278-016-9913-x

Abstract:In 1999-2003, SIIM (then SCAR) sponsored the creation of several special topic Primers, one of which was concerned with computer security. About the same time, a multi-society collaboration authored an ACR Guideline with a similar plot; the latter has recently been updated. The motivation for these efforts was the launch of Health Information Portability and Accountability Act (HIPAA). That legislation directed care providers to enable the portability of patient medical records across authorized medical centers, while simultaneously protecting patient confidentiality among unauthorized agents. These policy requirements resulted in the creation of numerous technical solutions which the above documents described. While the mathematical concepts and algorithms in those papers are as valid today as they were then, recent increases in the complexity of computer criminal applications (and defensive countermeasures) and the pervasiveness of Internet connected devices have raised the bar. This work examines how a medical center can adapt to these evolving threats.

Raul Luna,Emily Rhine,Matthew Myhra,Ross Sullivan,Clemens Scott Kruse

DOI: https://doi.org/10.3233/THC-151102

Abstract:Background: Recent legislation empowering providers to embrace the electronic exchange of health information leaves the healthcare industry increasingly vulnerable to cybercrime. The objective of this systematic review is to identify the biggest threats to healthcare via cybercrime. Objective: The rationale behind this systematic review is to provide a framework for future research by identifying themes and trends of cybercrime in the healthcare industry. Methods: The authors conducted a systematic search through the CINAHL, Academic Search Complete, PubMed, and ScienceDirect databases to gather literature relative to cyber threats in healthcare. All authors reviewed the articles collected and excluded literature that did not focus on the objective. Results: Researchers selected and examined 19 articles for common themes. The most prevalent cyber-criminal activity in healthcare is identity theft through data breach. Other concepts identified are internal threats, external threats, cyber-squatting, and cyberterrorism. Conclusions: The industry has now come to rely heavily on digital technologies, which increase risks such as denial of service and data breaches. Current healthcare cyber-security systems do not rival the capabilities of cyber criminals. Security of information is a costly resource and therefore many HCOs may hesitate to invest what is required to protect sensitive information.

Clemens Scott Kruse,Benjamin Frederick,Taylor Jacobson,D Kyle Monticone

DOI: https://doi.org/10.3233/THC-161263

Abstract:Background: The adoption of healthcare technology is arduous, and it requires planning and implementation time. Healthcare organizations are vulnerable to modern trends and threats because it has not kept up with threats. Objective: The objective of this systematic review is to identify cybersecurity trends, including ransomware, and identify possible solutions by querying academic literature. Methods: The reviewers conducted three separate searches through the CINAHL and PubMed (MEDLINE) and the Nursing and Allied Health Source via ProQuest databases. Using key words with Boolean operators, database filters, and hand screening, we identified 31 articles that met the objective of the review. Results: The analysis of 31 articles showed the healthcare industry lags behind in security. Like other industries, healthcare should clearly define cybersecurity duties, establish clear procedures for upgrading software and handling a data breach, use VLANs and deauthentication and cloud-based computing, and to train their users not to open suspicious code. Conclusions: The healthcare industry is a prime target for medical information theft as it lags behind other leading industries in securing vital data. It is imperative that time and funding is invested in maintaining and ensuring the protection of healthcare technology and the confidentially of patient information from unauthorized access.

Cartwright, Anthony James

DOI: https://doi.org/10.1007/s10877-023-01013-5

IF: 1.977

2023-04-24

Journal of Clinical Monitoring and Computing

Abstract:Cybersecurity has seen an increasing frequency and impact of cyberattacks and exposure of Protected Health Information (PHI). The uptake of an Electronic Medical Record (EMR), the exponential adoption of Internet of Things (IoT) devices, and the impact of the COVID-19 pandemic has increased the threat surface presented for cyberattack by the healthcare sector. Within healthcare generally and, more specifically, within anaesthesia and Intensive Care, there has been an explosion in wired and wireless devices used daily in the care of almost every patient—the Internet of Medical Things (IoMT); ventilators, anaesthetic machines, infusion pumps, pacing devices, organ support and a plethora of monitoring modalities. All of these devices, once connected to a hospital network, present another opportunity for a malevolent party to access the hospital systems, either to gain PHI for financial, political or other gain or to attack the systems directly to cause erroneous monitoring, altered settings of any device and even to access the EMR via this IoMT window. This exponential increase in the IoMT and the increasing wireless connectivity of anaesthesia and ICU devices as well as implantable devices presents a real and present danger to patient safety. There has, at the same time, been a chronic underfunding of cybersecurity in healthcare. This lack of cybersecurity investment has left the sector exposed, and with the monetisation of PHI, the introduction of technically unsecure IoT devices for monitoring and direct patient care, the healthcare sector is presenting itself for further devastating cyberattacks or breaches of PHI. Coupled with the immense strain that the COVID-19 pandemic has placed on healthcare and the changes in working patterns of many caregivers, this has further amplified the exposure of the sector to cyberattacks.

anesthesiology

Megha M. Moncy,Sadia Afreen,Saptarshi Purkayastha

2023-11-07

Abstract:This research examines the pivotal role of human behavior in the realm of healthcare data management, situated at the confluence of technological advancements and human conduct. An in-depth analysis of security breaches in the United States from 2009 to the present elucidates the dominance of human-induced security breaches. While technological weak points are certainly a concern, our study highlights that a significant proportion of breaches are precipitated by human errors and practices, thus pinpointing a conspicuous deficiency in training, awareness, and organizational architecture. In spite of stringent federal mandates, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, breaches persist, emphasizing the indispensable role of human factors within this domain. Such oversights not only jeopardize patient data confidentiality but also undermine the foundational trust inherent in the healthcare infrastructure. By probing the socio-technical facets of healthcare security infringements, this article advocates for an integrated, dynamic, and holistic approach to healthcare data security. The findings underscore the imperative of augmenting technological defenses while concurrently elevating human conduct and institutional ethos, thereby cultivating a robust and impervious healthcare data management environment.

Computers and Society,Cryptography and Security

Rajesh Keshavrao Deshmukh,Mohit Shrivastav

DOI: https://doi.org/10.70135/seejph.vi.769

2024-09-02

Abstract:India and other Asian nations are seeing an unparalleled pace of advancement in the modernisation of their healthcare systems. In this endeavour, information technology is crucial. Though the healthcare industry has made great progress, information security is still lagging behind the protection requirements attained in technologically developed nations such as the United States and the United Kingdom. This study is an honest attempt to pinpoint vulnerabilities and dangers in the field of cybersecurity and offers a few targeted remedies in three main domains: risks, vulnerabilities, and IoMT. Using a qualitative research methodology, this research culminates in the creation of a security maturity model for Indian healthcare. Furthermore, in light of these attacks, the well-known National Institute of Standards and Technology (NIST) risk assessment system and its guiding principles are examined. Evaluating the risks intrinsic to these hacks analytically becomes crucial given the comparatively low information risk management maturity levels in Asian healthcare organisations. While several nations in Asia and throughout the world are battling the COVID-19 outbreak, cybercriminals have been attempting to spread misinformation about vaccines. Additionally, some people and organisations are attempting to undermine specific vaccines in order to promote their COVID-19 treatments. Hacking research data, virus testing, and clinical studies that reveal side effects or possible issues are of particular interest to profit-seeking businesses. The secure methodology for identifying network attacks is suggested by this study.

Mark Sujan

DOI: https://doi.org/10.14236/jhi.v25i1.952

2018-03-15

Abstract:Health information technology (IT) offers exciting opportunities for providing novel services to patients, and for improving the quality and safety of care. However, the introduction of IT can lead to unintended consequences, and create opportunities for failure, which can have significant effects on patient safety. In this paper I argue that many health IT patient safety risks are probably quite predictable, but are often not considered at the time. This puts patients at risk, and it threatens the successful adoption of health IT. I recommend that healthcare providers focus on strengthening their processes for organisational learning, promote proactive risk management strategies, and make risk management decisions transparent and explicit.

Jeff Collmann,Johnathan Coleman,Kristen Sostrom,Willie Wright

DOI: https://doi.org/10.1089/tmj.2004.10.311

Abstract:Organizations must continuously seek safety. When considering computerized health information systems, "safety" includes protecting the integrity, confidentiality, and availability of information assets such as patient information, key components of the technical information system, and critical personnel. "High Reliability Theory" (HRT) argues that organizations with strong leadership support, continuous training, redundant safety mechanisms, and "cultures of high reliability" can deploy and safely manage complex, risky technologies such as nuclear weapons systems or computerized health information systems. In preparation for the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Office of the Assistant Secretary of Defense (Health Affairs), the Offices of the Surgeons General of the United States Army, Navy and Air Force, and the Telemedicine and Advanced Technology Research Center (TATRC), US Army Medical Research and Materiel Command sponsored organizational, doctrinal, and technical projects that individually and collectively promote conditions for a "culture of information assurance." These efforts include sponsoring the "P3 Working Group" (P3WG), an interdisciplinary, tri-service taskforce that reviewed all relevant Department of Defense (DoD), Miliary Health System (MHS), Army, Navy and Air Force policies for compliance with the HIPAA medical privacy and data security regulations; supporting development, training, and deployment of OCTAVE(sm), a self-directed information security risk assessment process; and sponsoring development of the Risk Information Management Resource (RIMR), a Web-enabled enterprise portal about health information assurance.

Joseph E Chasteen,Gretchen Murphy,Arden Forrey,David Heid

2004-08-15

Abstract:This article reviews the issues related to the Health Insurance Portability & Accountability Act (HIPAA) security rule that apply to dental practice. The security rule specifically addresses individually identifiable health information that is transmitted or maintained in electronic media. System security must be applied to the entire technical infrastructure for the practice environment as well as to the work culture on a daily basis and must be thought of as an enterprise asset. Security refers to all of the policies, procedures, tools, and techniques used to assure that privacy and confidentiality are adequately addressed in a healthcare system. HIPAA requires all covered entities that transmit or maintain electronic health information perform, and document, a risk assessment for security and develop a security plan to address major areas of concern. A self-assessment tool is provided in this article.

Stephen J Tipton,Sara Forkey,Young B Choi

DOI: https://doi.org/10.1007/s10916-016-0465-x

Abstract:This paper examines various methods encompassing the authentication of users in accessing Electronic Medical Records (EMRs). From a methodological perspective, multiple authentication methods have been researched from both a desktop and mobile accessibility perspective. Each method is investigated at a high level, along with comparative analyses, as well as real world examples. The projected outcome of this examination is a better understanding of the sophistication required in protecting the vital privacy constraints of an individual's Protected Health Information (PHI). In understanding the implications of protecting healthcare data in today's technological world, the scope of this paper is to grasp an overview of confidentiality as it pertains to information security. In addressing this topic, a high level overview of the three goals of information security are examined; in particular, the goal of confidentiality is the primary focus. Expanding upon the goal of confidentiality, healthcare accessibility legal aspects are considered, with a focus upon the Health Insurance Portability and Accountability Act of 1996 (HIPAA). With the primary focus of this examination being access to EMRs, the paper will consider two types of accessibility of concern: access from a physician, or group of physicians; and access from an individual patient.

Jahnavi Reddy,Nelly Elsayed,Zag ElSayed,Murat Ozer

DOI: https://doi.org/10.48550/arXiv.2111.00582

2022-08-31

Abstract:Providing security to Health Information is considered to be the topmost priority when compared to any other field. After the digitalization of the patient's records in the medical field, the healthcare/medical field has become a victim of several internal and external cyberattacks. Data breaches in the healthcare industry have been increasing rapidly. Despite having security standards such as HIPAA (Health Insurance Portability and Accountability Act), data breaches still happen on a daily basis. All various types of data breaches have the same harmful impact on healthcare data, especially on patients' privacy. The main objective of this paper is to analyze why healthcare data breaches occur and what is the impact of these breaches. The paper also presents the possible improvements that can be made in the current standards, such as HIPAA, to increase security in the healthcare field.

Cryptography and Security

Israel Cole,Liswani Sibamba,Abdi Hilowle,Jaye Jallow

DOI: https://doi.org/10.48550/arXiv.1712.04560

2017-12-13

Abstract:Information security and privacy in the healthcare sector is an issue of growing importance. The adoption of digital patient records, increased regulation, provider consolidation and the increasing need for information exchange between patients, providers and payers, all point towards the need for better information security. We critically survey the literature on information security and privacy in healthcare, published in information systems journals as well as many other related disciplines including health informatics, public health, law, medicine, and the trade press and industry reports

Cryptography and Security

Mitchell G. Goldenberg,Teodor P. Grantcharov

DOI: https://doi.org/10.1007/978-3-319-61446-5_17

2018-01-01

Health Informatics

Abstract:Patient confidentiality has remained a central issue in the current “big data” era of healthcare. Protections such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) exist to ensure that digital personal health information (PHI) are legally secure from threats and breaches that would threaten confidentiality. To be compliant with HIPAA regulations, steps must be taken by health care providers and digital health platforms, and these fall under the Privacy Rule, which outlines appropriate uses and disclosures of PHI, and the Security Rule, which lays out with granularity the steps that must be taken to adhere to the HIPAA regulations. Through deliberate design of secure digital health platforms, we can use technological advances in the collection, measurement, and delivery of health care to advance care and improve patient safety. Renewed efforts to optimize and standardize health care delivery has facilitated the implementation of electronic and digital health solutions that benefit medical and surgical training and efficiency while minimizing harm to patients. Cross-industry innovations such as the OR Black Box® will allow us to accomplish these lofty goals. Finally, we must strive to include patients in this digital health movement, as now more than ever we can create knowledge translation solutions that ensure that patients understand their health in a meaningful way.

Pius Ewoh,Tero Vartiainen

DOI: https://doi.org/10.2196/46904

2024-05-31

Abstract:Background: Health care organizations worldwide are faced with an increasing number of cyberattacks and threats to their critical infrastructure. These cyberattacks cause significant data breaches in digital health information systems, which threaten patient safety and privacy. Objective: From a sociotechnical perspective, this paper explores why digital health care systems are vulnerable to cyberattacks and provides sociotechnical solutions through a systematic literature review (SLR). Methods: An SLR using the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) was conducted by searching 6 databases (PubMed, Web of Science, ScienceDirect, Scopus, Institute of Electrical and Electronics Engineers, and Springer) and a journal (Management Information Systems Quarterly) for articles published between 2012 and 2022 and indexed using the following keywords: "(cybersecurity OR cybercrime OR ransomware) AND (healthcare) OR (cybersecurity in healthcare)." Reports, review articles, and industry white papers that focused on cybersecurity and health care challenges and solutions were included. Only articles published in English were selected for the review. Results: In total, 5 themes were identified: human error, lack of investment, complex network-connected end-point devices, old legacy systems, and technology advancement (digitalization). We also found that knowledge applications for solving vulnerabilities in health care systems between 2012 to 2022 were inconsistent. Conclusions: This SLR provides a clear understanding of why health care systems are vulnerable to cyberattacks and proposes interventions from a new sociotechnical perspective. These solutions can serve as a guide for health care organizations in their efforts to prevent breaches and address vulnerabilities. To bridge the gap, we recommend that health care organizations, in partnership with educational institutions, develop and implement a cybersecurity curriculum for health care and intelligence information sharing through collaborations; training; awareness campaigns; and knowledge application areas such as secure design processes, phase-out of legacy systems, and improved investment. Additional studies are needed to create a sociotechnical framework that will support cybersecurity in health care systems and connect technology, people, and processes in an integrated manner.

Chukwuka Elendu,Eunice K. Omeludike,Praise O. Oloyede,Babajide T. Obidigbo,Janet C. Omeludike

DOI: https://doi.org/10.1097/md.0000000000039887

IF: 1.6

2024-09-29

Medicine

Abstract:In recent years, integrating digital technologies in healthcare has revolutionized medical practice, enhancing patient care, data management, and operational efficiency. However, this digital transformation has also exposed healthcare systems to significant cybersecurity threats, leading to legal and ethical challenges for clinicians. [ 1–3 ] The increasing frequency and sophistication of cyber-attacks, such as ransomware, data breaches, and hacking incidents, pose substantial risks to patient privacy, data integrity, and overall healthcare delivery. [ 1–3 ] These incidents jeopardize patient safety and implicate healthcare professionals in potential legal liabilities. Emerging technologies, including artificial intelligence (AI) and quantum computing, are at the forefront of cybersecurity innovations and challenges. AI, for instance, offers promising applications in detecting and mitigating cyber threats through advanced algorithms and machine learning (ML) techniques. However, deploying AI systems in healthcare raises concerns regarding data security, privacy, and ethical implications. If not properly managed, AI systems can introduce biases that may result in discriminatory practices or inaccurate decision-making. [ 4 , 5 ] Moreover, quantum computing, potentially breaking traditional encryption methods, further complicates the cybersecurity landscape, necessitating new cryptographic approaches and legal frameworks to safeguard sensitive health information. [ 6 ] The global nature of cybersecurity threats underscores the importance of international cooperation and regulatory harmonization. Countries have adopted varying approaches to managing cybersecurity incidents in healthcare, influenced by their legal systems, cultural values, and technological infrastructures. For example, the European Union's General Data Protection Regulation (GDPR) imposes stringent data protection requirements, including reporting data breaches within 72 hours. [ 7 ] In contrast, the United States has a more fragmented regulatory landscape, with laws such as the Health Insurance Portability and Accountability Act (HIPAA) providing a framework for protecting patient information. Still, varying state laws complicate compliance. [ 8 ] A comparative analysis of these international regulations reveals best practices and highlights areas where further harmonization is needed to protect healthcare data globally. The legal implications of cybersecurity incidents extend beyond compliance with data protection regulations. As custodians of patient data, clinicians may face legal consequences in data breaches or unauthorized access to sensitive information. These legal responsibilities necessitate a thorough understanding of cybersecurity best practices and implementing robust security measures. For instance, clinicians must ensure secure communication channels, regular updates to software systems, and adherence to data encryption standards. [ 9 ] Furthermore, clinicians should be aware of their obligations to report cybersecurity incidents and cooperate with investigations, as failure can result in legal penalties and damage to professional reputations. [ 10 ] Ethical considerations are also paramount in the context of cybersecurity in healthcare. The principle of patient autonomy, which underpins informed consent and confidentiality, is challenged when cybersecurity incidents compromise patient data. Healthcare professionals must navigate these ethical dilemmas, balancing the need to protect patient information with the necessity of using digital tools for medical care. [ 11 ] Moreover, deploying AI in healthcare introduces questions about the transparency and accountability of decision-making processes. Ensuring that AI systems are transparent, explainable, and free from biases is crucial to maintaining public trust and ensuring equitable healthcare outcomes. [ 12 ] Case studies of cybersecurity incidents in healthcare provide valuable insights into the practical challenges and consequences clinicians face. For example, the WannaCry ransomware attack in 2017 severely disrupted the UK's National Health Service (NHS), affecting numerous hospitals and clinics and leading to the cancelation of thousands of appointments. [ 13 ] This incident highlighted the vulnerability of healthcare systems to cyber threats and underscored the importance of proactive cybersecurity measures. Similarly, the breach of patient data at Ant -Abstract Truncated-

medicine, general & internal

A Bourka,N Polemi,D Koutsouris

Abstract:The scope of this paper is to present the current needs and trends in the field of healthcare systems security. The approach applied within the described review was based on three major steps. The first step was to define the point and ways of penetration and integration of security services in current healthcare related applications addressing technical, organisational and legal/regulatory issues. The second step was to specify and evaluate common security technologies applied in healthcare information systems pointing out gaps and efficient solutions, whereas the third was to draw conclusions for the present conditions and identify the future trends of healthcare information security. A number of EU RTD Projects were selected, categorised, analysed and comparatively evaluated in terms of security. The technical focus was on key security technologies, like Public Key Infrastructures (PKIs) based on Trusted Third Parties (TTPs) in conjunction with other state-of-the-art security components (programming tools, data representation formats, security standards and protocols, security policies and risk assessment techniques). The experience gained within this review will provide valuable input for future security applications in the healthcare sector, solving existing problems and addressing real user needs.

Sung J Choi,Min Chen,Xuan Tan

DOI: https://doi.org/10.1016/j.ijmedinf.2023.105149

Abstract:Objective: Widespread electronic health information exchange (HIE) across hospitals remains an important policy goal for reducing costs and improving the quality of care. Meanwhile, cybersecurity incidents are a growing threat to hospitals. The relationship between the electronic sharing of health information and cybersecurity incidents is not well understood. The objective of this study was to empirically examine the impact of hospitals' HIE engagement on their data breach risk. Materials and methods: A balanced panel dataset included 4,936 US community hospitals spanning the period 2010-2017, which was assembled by linking the American Hospital Association annual survey database and the Information Technology (IT) supplement, and the Department of Health and Human Services reports of health data breaches. The relationship between HIE engagement and hospital data breaches was modeled using a difference-in-differences specification controlling for time-varying hospital characteristics. Results: The percentage of hospitals electronically exchanging information has more than tripled (from 18% to 68%) from 2010 to 2017. Hospital data breaches increased concurrently, largely due to the rise in hacking and unauthorized access. HIE engagement was associated with a 0.672 percentage point increase in the probability of an IT breach three years after the engagement. Hospitals actively engaging in a health information organization and exchanging data with outside providers were associated with a higher risk of IT related breaches in the long run; however, hospitals actively engaging in HIE and exchanging data with inside providers were not associated with any significant risk of IT related breaches. Discussion: Over time, the increasing amount and complexity of patient information being exchanged can create challenges for cybersecurity if data protection is not up to date. Additionally, data security depends on the weakest link of HIE, and providers with fewer resources for data governance and infrastructure are more vulnerable to data breaches. Conclusion: Moving toward widespread health information exchange has important cybersecurity implications that can significantly impact both patients and healthcare organizations.

Abraham Isiaho,Kelvin Kabeti Omieno,Hillan Rono

DOI: https://doi.org/10.30574/wjaets.2022.7.2.0136

2022-12-30

World Journal of Advanced Engineering Technology and Sciences

Abstract:The advancement in information communication technologies has seen the rise in the deployment of various information exchange devices in the healthcare sector. Among these technologies is the Tele-care Medical Information Systems (TMIS) in which remote users can establish a connection with the hospital medical server and share the necessary information between them. This can potentially offer doctors and patients more reasonable treatment plan, as well as helping address the huge medical expenses and excessive medical treatment duration. There is therefore need to store patient data in the end devices, as well as transmit this data over public channels to facilitate decision making. This paper sought to review the security schemes that have been developed over the recent past to protect the patient data stored or transmitted in TMIS.

AKM Iqridar Newaz,Amit Kumar Sikder,Mohammad Ashiqur Rahman,A. Selcuk Uluagac

DOI: https://doi.org/10.48550/arXiv.2005.07359

2020-05-15

Cryptography and Security

Abstract:The recent advancements in computing systems and wireless communications have made healthcare systems more efficient than before. Modern healthcare devices can monitor and manage different health conditions of the patients automatically without any manual intervention from medical professionals. Additionally, the use of implantable medical devices (IMDs), body area networks (BANs), and Internet of Things (IoT) technologies in healthcare systems improve the overall patient monitoring and treatment process. However, these systems are complex in software and hardware, and optimizing between security, privacy, and treatment is crucial for healthcare systems as any security or privacy violation can lead to severe effects on patients' treatments and overall health conditions. Indeed, the healthcare domain is increasingly facing security challenges and threats due to numerous design flaws and the lack of proper security measures in healthcare devices and applications. In this paper, we explore various security and privacy threats to healthcare systems and discuss the consequences of these threats. We present a detailed survey of different potential attacks and discuss their impacts. Furthermore, we review the existing security measures proposed for healthcare systems and discuss their limitations. Finally, we conclude the paper with future research directions toward securing healthcare systems against common vulnerabilities.

Kenneth W Goodman,Eta S Berner,Mark A Dente,Bonnie Kaplan,Ross Koppel,Donald Rucker,Daniel Z Sands,Peter Winkelstein,AMIA Board of Directors

DOI: https://doi.org/10.1136/jamia.2010.008946

Abstract:The current commercial health information technology (HIT) arena encompasses a number of competing firms that provide electronic health applications to hospitals, clinical practices, and other healthcare-related entities. Such applications collect, store, and analyze patient information. Some vendors incorporate contract language whereby purchasers of HIT systems, such as hospitals and clinics, must indemnify vendors for malpractice or personal injury claims, even if those events are not caused or fostered by the purchasers. Some vendors require contract clauses that force HIT system purchasers to adopt vendor-defined policies that prevent the disclosure of errors, bugs, design flaws, and other HIT-software-related hazards. To address this issue, the AMIA Board of Directors appointed a Task Force to provide an analysis and insights. Task Force findings and recommendations include: patient safety should trump all other values; corporate concerns about liability and intellectual property ownership may be valid but should not over-ride all other considerations; transparency and a commitment to patient safety should govern vendor contracts; institutions are duty-bound to provide ethics education to purchasers and users, and should commit publicly to standards of corporate conduct; and vendors, system purchasers, and users should encourage and assist in each others' efforts to adopt best practices. Finally, the HIT community should re-examine whether and how regulation of electronic health applications could foster improved care, public health, and patient safety.