HHS Raises Awareness of Threats to Electronic Health Record Systems – HIPAA Journal
Share this article on:
The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center has issued a threat brief warning about the risks associated with electronic health record systems, which are often targeted by cyber threat actors.
Cyberattacks on EHRs can be extremely profitable for cyber threat actors. EHRs usually contain all the information required for multiple types of fraud, including names, addresses, dates of birth, Social Security numbers, other government and state ID numbers, health data, and health insurance information. No other records provide such a wide range of information. The information contained in the systems has a high value on the black market and can be easily sold to cybercriminals who specialize in identity theft, tax, and insurance fraud. Malware, and especially ransomware, pose a significant threat to EHRs. Ransomware can be used to encrypt EHR data to prevent access, which causes disruption to medical services and creates patient safety issues, which increases the likelihood of the ransom being paid. Phishing attacks to gain access to the credentials required to access EHRs are also common.
A cybersecurity strategy should be developed to protect against malware and ransomware attacks. Malware and ransomware infections often start with phishing emails, so email security solutions should be implemented, and end users should receive training to help them identify phishing emails and other email threats. Regular security awareness training for the workforce can improve resistance to cyberattacks that target employees, who are one of the weak links in the security chain. Attacks on Remote Desktop Protocol (RDP) are also common. Consider using a VPN solution to prevent exposing RDP. Threat actors often exploit unpatched vulnerabilities, so it is vital to patch promptly and to prioritize patching to address critical vulnerabilities first, especially vulnerabilities that are known to have been exploited in cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a Known Exploited Vulnerabilities Catalog that can guide IT security teams on prioritizing patching efforts.
Many healthcare organizations encrypt EHR data. Encryption protects data while it is transferred between on-site users and external cloud applications, but there could be blind spots in encryption that could be leveraged by threat actors to avoid being detected while they execute their attack. Cloud services are now commonly used by healthcare organizations, including cloud-hosted EHRs. All data sent to cloud services must be properly protected to comply with HIPAA. Cloud access security broker technology can help in this regard.
Steps need to be taken to prevent attacks by external cyber threat actors, but there are also internal threats to EHR data. Healthcare employees are provided with access to EHRs and can easily abuse that access to view or steal patient data. Employees should receive training on internal policies concerning EHR use and data access and how HIPAA prohibits the unauthorized accessing of records. The sanctions policy should be explained as well as the potential for criminal charges for unauthorized medical record access. Administrative policies should be implemented to make it difficult for employees to access records without authorization and policies for EHR need to be enforced.
There should be monitoring of physical and system access, audits should be regularly conducted to identify unauthorized access, and device and media controls should be implemented to prevent the unauthorized copying of EHR data. An endpoint hardening strategy should also be developed that includes multiple layers of defense on all endpoints. The strategy will also ensure that any intrusion is detected and contained before attackers can gain access to EHRs and patient data.
Healthcare organizations should engage in threat hunting to identify threat actors who have bypassed the security perimeter and infiltrated endpoints. Penetration testers should be used for ‘Red Team’ activities involving the tradecraft of hackers to identify and exploit vulnerabilities. Cybersecurity professionals should also be engaged for the Blue Team, which is concerned with guiding the IT security team on improvements to prevent sophisticated cyberattacks. “These exercises are imperative to understanding issues with an organization’s network, vulnerabilities, and other possible security gaps,” says the HHS.
There are considerable benefits that come from EHRs, but risks to data must be properly managed. The HHS suggests healthcare leaders change their focus from prevention to the creation of a proactive preparedness plan to understand vulnerabilities in their EHRs and then implement a framework that will be effective at identifying and preventing attacks.