HHS Emphasizes EHR Cybersecurity Risks to Healthcare Sector

April 11, 2023 - EHRs are poised to remain a crucial part of the healthcare industry, but the exploitation of patient data casts a shadow over its benefits. A recent HHS threat brief emphasized the need for healthcare organizations to stay on their toes against emerging cybersecurity risks, ensuring patient health is safe from threat actors.

While frequently considered synonymous, EHRs and EMRs have distinct capabilities. EMRs enable the digital input, preservation, and management of medical information. On the other hand, EHRs hold patient health records such as demographic information, test results, medical histories, current illness histories (HPI), and medication details, HHS stated.

The increase in EHR adoption stems from multiple factors, including the need for improved patient care and encouragement from governments and regulatory bodies. 

EHRs and EMRs have changed healthcare delivery, offering greater patient records access, elevating care quality, and facilitating data sharing and accessibility. Additionally, EHRs and EMRs have contributed to reducing medical errors and improving by ensuring the accuracy and current information. However, user mistakes and design shortcomings can turn EHRs and EMRs into potential security hazards instead of beneficial tools.

"Electronic Medical/Health Records are here to stay for the foreseeable future, so organizations should work to protect Personal Identifiable Information (PII)/Protected Health Information (PHI) and should be aware of market trends," noted the Health Sector Cybersecurity Coordination Center (HC3), the cybersecurity arm of  HHS.

These extensive digital filing cabinets for patient health data are at risk from phishing attacks, data breaches and vulnerabilities, malware and ransomware attack, encryption blind spots, cloud threats/third-party risks, and even by improper employee use.

"EMRs/EHRs are valuable to cyber attackers because of the PHI information they contain and the profit they can make on the dark web or black market," HC3 stated.

Some notorious hacking groups, like LockBit 3.0, BlackCat (AlphaV), Royal, BianLian, and Black Basta, specifically target personal health information.

According to the OCR Breach Portal, a staggering 385 million patient records may have been exposed to these types of breaches from 2010 to 2022.

And just this year, several notable data breaches in the healthcare industry have compromised patients' personal health information.

One example is when Reventics, a company that manages money for healthcare, had a data leak affecting 250,918 people. Memphis, Tennessee-based Regional One Health posted a notice on its website informing patients of the breach – Reventics is a third-party business associate of the Tennessee health system.

In early March, Sentara Healthcare in Virginia was made aware of a data security incident resulting in the exposure of certain patient information following a tip received via the Sentara Compliance Hotline. After checking, they confirmed a PDF report for Sentara Lab services was uploaded to the Adobe Acrobat site on October 17, 2022.

As they increase in prevalence, data breaches can be expensive. In 2022, the average cost of a healthcare data breach went up from $9.23 million in 2021 to $10.10 million, according to IBM's report. HIPAA fines can also be costly, with penalties ranging  from $127 to $63,973 for lack of knowledge and $63,973 to $1,919,173 for not fixing a problem within 30 days.

"Electronic medical/health records will continue to be a significant part of the healthcare industry, so utilizing all resources to protect PII/PHI is key. In the years to come, EMRs/EHRs will be enhanced with significant growth in IoT devices, big data technology and telehealth systems, and digitization will become a core offering in healthcare institutions," HC3 wrote.

Under the Strengthening American Cybersecurity Act of 2022, passed in March 2022, organizations in critical infrastructure sectors have 12-18 months to put in place the following  policies and practices

• Adopt Zero Trust: This means no longer trusting all devices and traffic within a network. Instead, security controls are applied to make sure employees have the right access to resources, and this access is continuously assessed.
• Apply the Principle of Least Privilege: This approach to information security gives end-users the minimum access needed, with higher access levels regularly reviewed.
• Improve mobile security standards and mobile device management (MDM): MDM allows IT departments to monitor, manage, and secure employees' mobile devices containing or accessing company assets.
• Strengthen protections for systems likely to be targeted by ransomware: Be prepared for potential breaches by having an incident response plan and practicing it through tabletop exercises.

"In addition to being in compliance with the law, organizations within the health sector should strive to do their best to protect data and sensitive information from nefarious threat actors. Developing a strong cybersecurity posture is vital to any organization," the report mentioned.