HHS Warns of Threats to Electronic Health RecordsUrges Entities to Take a 'Proactive' Approach to Safeguard Patient Records
Healthcare entities should implement a more "proactive preparedness" approach for protecting their electronic health record/electronic medical record systems, which are an increasingly attractive target for cyberattacks and other breaches, federal regulators warn.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in a threat brief issued Thursday says EHRs/EMRs are profitable to cybercriminals - for extortion, fraud, identity theft, data laundering and sale on the dark web.
That's because the records contain protected health information of patients that can include 18 identifiers including names, birthdates, account numbers, Social Security numbers, health plan information and biometric identifiers.
"These 18 identifiers provide criminals with more information than any other breached record," HHS says.
While EHRs and EMRs are often referred to interchangeably, EMRs - which allow the electronic entry, storage and maintenance of digital medical data - are a part of EHRs, which also contain patient records from doctors and include demographics, test results, medical history and medications.
“It is recommended that healthcare leaders shift their focus by moving beyond a prevention strategy and creating a proactive preparedness plan," HHS says.
"This helps understand vulnerabilities in the current network landscape and provides guidance needed for a framework that will be effective in identifying and preventing attacks, which is key to protecting EMRs/EHRs, along with access to vital patient data."
The top threats to EMRs and EHRs include phishing attacks, ransomware and other malware attacks, encryption "blind spots," cloud threats and employees, HHS says.
To better protect against phishing attacks, HHS recommends educating healthcare professionals, including training them to not click links within emails and to verify all requests to share EHR files before sending any data.
To help protect against malware attacks, HHS suggests that healthcare entities develop a strategy to combat ransomware that targets RDP and other internet-facing applications.
"Healthcare leaders should also consider adding a VPN with multifactor authentication to avoid exposing their RDP and prioritize patching for vulnerabilities in VPN platform and other applications," HHS says.
Data encryption blind spots can also pose a potential significant risk to EMRs, HHS says.
It says data encryption protects and secures EMR/EHR data while it is being transferred between on-site users and external cloud applications, but blind spots in encrypted traffic could pose a threat to IT healthcare because threat actors or hackers can use encrypted blind spots to avoid detection, hide and execute a targeted attack.
Also, as more healthcare organizations are embracing cloud services to help improve patient care, the need to keep data secure while complying with HIPAA is increasing, HHS HC3 says, and using cloud access security broker technology can help with that.
To safeguard against insider threats, it says, a cybersecurity strategy and policy should include educating all healthcare partners and staff about related risks, enhancing administrative controls, monitoring physical and system access; creating workstation usage policies, auditing and monitoring system users, employing device and media controls and applying data encryption.
HHS also recommends that healthcare entities develop an endpoint security strategy "to harden their digital infrastructure" with multiple defense layers at various endpoints.
It says such a strategy can detect and contain an attack before it has access to patient medical records or other sensitive information and suggests using endpoint detection and response to detect and mitigate cyberthreats.
HHS also says it's important to safeguard patient health records through email security measures.
It warns that Hive ransomware attacks malicious files attached to phishing emails to gain access to health records and company systems and recommends using email security software with URL filtering and attachment sandboxing as a mitigation strategy."
HHS recommends threat hunting to help protect EHRs and other systems, calling it "a proactive practice that finds threat actors or hackers who have infiltrated a network’s initial endpoint security defenses." The HHS says threat hunting "operates as an extension of the organization’s cyber team that will track, prevent, or even stop potential cyberattacks on an organization."
It says red and blue team exercises, which involve "face-offs" between two teams of highly trained cybersecurity professionals, help people understand issues with "an organization's network, vulnerabilities and other possible security gaps."
Mac McMillan, CEO of privacy and security consultancy CynergisTek, says there are additional considerations that affect the security of EHR and EMRs.
"One concern I have is with all of the other applications that want to talk to the EMR/EHR through application programming interfaces, and the lack of security that is sometimes associated with APIs. All APIs that are associated with the EMR/EHR should go through testing to insure their integrity," he says.
EMRs/EHRs are both indirectly and directly targets of ransomware attacks due to the valuable data they contain, but other IT systems within healthcare environments are also targets for such attacks, according to McMillan. He says that's due to "the data or access to the data and multiple systems throughout the hospital's environment that have patient information."