Share this article on:
The U.S. Department of Health and Human Services’ Cybersecurity Coordination Center has issued a brief warning about the risks associated with electronic medical records systems, which are often targeted by cyber threats.
Cyber attacks on EHR can be extremely beneficial to cyber threat subjects. EHRs typically contain all the information needed for various types of fraud, including names, addresses, dates of birth, social security numbers, other government and government identification numbers, medical records, and health insurance information. No other record gives such a wide range of information. The information contained in the systems is of high value on the black market and can be easily sold to cybercriminals specializing in personal data theft, tax and insurance fraud. Malware, and especially ransomware, poses a significant threat to the EHR. The ransomware program can be used to encrypt EHR data to prevent access, causing disruptions to health services and creating patient safety concerns that increase the likelihood of ransom payments. Phishing attacks are also common to gain access to the credentials needed to access the EHR.
A cybersecurity strategy should be developed to protect against malware and ransomware attacks. Malware and ransomware often start with phishing emails, so email security solutions should be implemented, and end users should be trained to help them identify phishing emails and other email threats. Regular training of personnel on security issues can improve resistance to cyberattacks directed at employees who are one of the weak links in the security chain. Remote Desktop Protocol (RDP) attacks are also common. Consider using a VPN solution to prevent RDP exposure. Threats often exploit uncorrected vulnerabilities, so it is important to identify fixes in a timely manner and prioritize critical vulnerabilities, especially those known to have been used in cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Catalog of Known Used Vulnerabilities that can guide IT security teams on prioritizing fixes.
Many healthcare organizations encrypt EHR data. Encryption protects data as it is transmitted between users on the ground and external cloud applications, but there may be blind spots in the encryption that can be used by threat subjects to avoid being detected during an attack. Currently, cloud services are commonly used by healthcare organizations, including EHR, hosted in the cloud. All data sent to cloud services must be properly protected in accordance with HIPAA. Cloud access security broker technology can help in this regard.
Steps need to be taken to prevent attacks by external cyber threats, but there are also internal threats to EHR data. Healthcare professionals are granted access to the EHR and can easily abuse that access to view or steal patient data. Employees should be trained on internal policies regarding the use of EHR and access to data, as well as how HIPAA prohibits unauthorized access to records. The policy of sanctions should be explained, as well as the possibility of criminal charges for unauthorized access to medical records. Administrative policies should be implemented to make it difficult for staff to access records without authorization, and policies for EHR should be followed.
There should be monitoring of physical and system access, regular checks to detect unauthorized access, and control of devices and media to prevent unauthorized copying of EHR data. An endpoint strengthening strategy should also be developed that includes multiple layers of protection at all endpoints. The strategy also ensures that any intrusion will be detected and deterred before attackers can access EHR and patient data.
Healthcare organizations need to look for threats to identify threat subjects that have bypassed the security perimeter and infiltrated endpoints. Penetration testers should be used for Red Team activities, which include hacking skills to detect and exploit vulnerabilities. Cybersecurity professionals should also be involved in the Blue Team, which manages the IT security improvement team to prevent complex cyber attacks. “These exercises are needed to understand organizational network problems, vulnerabilities and other possible security gaps,” says HHS.
There are significant benefits from EHR, but the risks to the data need to be properly managed. HHS invites health managers to shift their focus from prevention to creating an active preparedness plan to understand vulnerabilities in their EHR, and then implementing a structure that will be effective for detecting and preventing attacks.