HHS cyber arm warns of EHR vulnerabilities

The Health Sector Cybersecurity Coordination Center published a threat brief outlining common threats to electronic health records, including phishing attacks, malware and cloud threats.
By Kat Jercich
12:22 PM

Photo: Sasa-Delic-SD

The Health Sector Cybersecurity Coordination Center published a threat brief this past week cautioning about the potential cybersecurity risks of electronic health records.  

In its brief, the U.S. Department of Health and Human Services' cyber agency noted that EHRs have a wide range of benefits, including possible interoperability, convenience and improved quality of care.   

At the same time, said HC3, the electronic health record is "valuable to cyber attackers because of the Protected Health Information it contains and the profit they can make on the dark web or black market."  

WHY IT MATTERS  

According to researchers, stolen healthcare data is the most valuable, with average breach incident costs totaling $9.23 million in 2021.   

And the EHRs are repositories for that data, making them a juicy prize for bad actors.  

"The risks to EHRs relate primarily to a range of factors that include user-related issues, financial issues and design flaws that create barriers to using them as an effective tool to deliver healthcare services," wrote HC3 researchers.   

In addition, the electronic health record "is also a top target in healthcare breaches."  

Top threats against EHRs include phishing attacks, malware, overlooked gaps in encryption, cloud threats and employees. In 2021, for instance, 20% of breaches involved compromised credentials.  

"Healthcare leaders should understand where operational vulnerabilities exist in their organization, from marketing all the way down to critical health records," said the agency.  

"By understanding the scope of the task at hand, management and other healthcare leaders can create a preparedness plan to address any weaknesses in digital infrastructure," it continued.  

The agency outlined several strategies to strengthen organizational cyber posture, including:  

  • Evaluate risk before an attack 
  • Use VPN with multi factor authentication 
  • Develop an endpoint hardening strategy, allowing stakeholders the ability to defend their structure at various points
  • Protect emails and patient health records, such as via URL filtering  
  • Engage cyber threat hunters 
  • Conduct "red team / blue team" exercises in order to understand issues within the network   

It also advised moving beyond prevention and creating a proactive preparedness plan.  

"This helps understand vulnerabilities in the current network landscape and provides guidance needed for [frameworks] that will be effective in identifying and preventing attacks, which is key to protecting EMRs/EHRs, along with access to vital patient data," said the threat brief.  

THE LARGER TREND

In 2021 alone, 40 million patient records were compromised – with the most significant incident affecting 3.5 million individuals.

2022 isn't shaping up to be much different: Dozens of entities have already reported healthcare breaches in the first few months of the year.  

Such incidents can have rolling effects. In addition to the immediate threat to patient care and information, health systems must then sometimes contend with lawsuits and governmental penalties.  

ON THE RECORD  

"Insider threats apply across industries, including the health sector," wrote HC3. "It is recommended that your healthcare organization has a cybersecurity strategy and policy that’s not only understood but followed and enforced."

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.