Healthcare Information Security

News

Why EHR Vendors Are Next Healthcare Data Breach Target

With the growing sophistication of hackers, 2016 may be the year when EHR vendors become the next major healthcare data breach target.

By Mark Menke of Digital Guardian

- It’s no secret that the healthcare industry is a hackers’ gold mine for valuable, sensitive data. Along with private information like patients’ names, mailing addresses, email aliases and dates of birth, healthcare firms also hold extremely personal health data, such as lab results, dictated reports, prescribed medications and medical conditions.

Next healthcare data breach target may be EHR vendors

In 2015, we witnessed numerous hospital networks and health insurers fall victim to data breaches. Community Health Systems, Premera and Anthem were just some of the bigger names making regular headlines last year, but the attacks trickled down to even the smaller physicians’ offices.

But with the growing sophistication of hackers, and the amount of sensitive data stored, 2016 may be the year when EHR vendors become the next major target.

Why EHR?                  

Health data hackers are moving upstream: from hospital networks or insurers who might represent patients in a particular geographic area, to now, an EHR service provider with customers all over the country. The reality is that thieves bent on identity theft, account hijacking or sophisticated spear phishing and social engineering attacks choose health firms because the data is a treasure trove of information that can be used for monetary gain. 

READ MORE: 29K Impacted by SSM Health Data Breach from Unauthorized Access

Web-based EHR systems easily allow them to access data from hundreds or thousands of health networks in one fell swoop. Additionally, like other similar applications, it’s likely that web-based EHR systems suffer from many common vulnerabilities that might give attackers access to backend systems and data – from SQL injections to cross site scripting.

Making matters worse, the Affordable Care Act has created significant incentives for doctors’ offices to embrace EHR systems, as these technology systems are known to replace inefficient, paper-based medical records systems. Most web-based EHR platforms allow physicians to reap the advantages of these efficient tools without needing to invest in hardware, software and IT staff to manage them – which is a big bonus in the healthcare industry, where the margins are small.

EHR vendors should consider the following steps to remain secure and work toward preventing a healthcare data breach.

Realize the Risk

Both EHR firms and physicians’ offices that use these services should take note that sophisticated attackers are on to them, and that EHR application servers are now squarely in the crosshairs of these malicious actors. The first step in realizing the risk always begins with cybersecurity education, throughout the entire healthcare firm. In addition to regular training sessions, be sure to conduct EHR risk assessments continually to ensure the level of risk is kept at a minimum.

READ MORE: Stolen Patient Records in OH Lead to Potential PHI Breach

Identify Most Important Data

All too often, healthcare firms and the EHR providers they work with, have no idea where the most valuable data is stored and who has access to it. All parties involved must know what the sensitive data is if they want to prevent it from being stolen. Simply identifying the crown jewels can feel like a daunting task, but it doesn’t have to be. Start with your most critical data — the data you know a hacker is after. This can be in the form of financial and personal data, but also spans to include lab tests, diagnosis reports, and other medical-based information. Get that identified first and then move to the next organizational function.

Properly Protect Sensitive Data

This is going to sound very basic, but once sensitive data is identified, the immediate next step is to label it. Mark all critical assets as “internal only” or “confidential.” Whether the document is digital or paper-based, this is the quickest and easiest protection method. It provides employees with a visual cue to treat the document with care, and internal staff is almost always targeted by hackers. There are also additional technologies that you can employ to ensure your sensitive data stays safe. Data at rest discovery tools can be utilized to help minimize the amount of stored sensitive data and contain it to protected locations.  In addition, vendors should consider encryption, network security, persistent document tagging and policy-driven data protection – these approaches ensure data flows freely, but in a secure way.  

Have a Plan if Data is Stolen

READ MORE: Unauthorized PHI Access at Coney Island Hospital Impacts 3.4K

Understand that a data breach can happen, so it’s critical to have an incident response plan at the ready. Following a detailed plan to avoid a data breach should be a healthcare provider’s first priority; however, in the event of a breach, have a disaster recovery plan prepared to minimize the damage. Immediately following a breach, healthcare professionals should identify the information compromised, isolate the data and decide how to inform the patients impacted by the event. Altering the method to avoid future data breaches should be next priority, including thoroughly testing the EHR system.

Overall, as with healthcare companies and hospitals, the focus should be on removing “low hanging fruit” that can lead to compromises and putting in robust detection tools to shorten the window of exposure in the event of a compromise from weeks to days, hours or – ideally – minutes. The less time attackers have on the network, the less damage they can do to an organization.

Mark Menke is the Principal Architect of Network and Cloud Security at Digital Guardian. 

X

SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
BYOD
Cybersecurity
Data Breaches
Ransomware

Our privacy policy

no, thanks