As predicted, the increasing use of electronic health records (EHRs) resulted in a corresponding increase in the number of security breaches. Having such a large volume of records digitally stored in one place makes a lot of sense in many regards, but this comes with a downside: it also makes it much easier for them to be compromised.
In fact, the HHS (US Department of Health and Human Services) Officer of the Inspector General (OIG) included investigations of how well providers protect EHR information in its 2017 workplan.
Healthcare industry newsletter, FierceHealthcare, summarized the largest cyber problems that plagued EHRs in 2016.
Ransomware
The sheer number of incidents affecting the healthcare industry gave ransomware a household name in 2016. Two prominent incidents were widely reported:
- Hollywood Presbyterian Medical Center paid $17,000 in bitcoins to recover the use of its ERH system
- MedStar Health lost the use of its computers due to a ransomware attack
Regrettably, as healthcare administrators learned not to click on suspicious links, cyber criminals became more sophisticated. They started using targeted spear phishing. This involves using a spoofed email address to make it look legitimate and including an attachment that appears to be something innocuous such as an invoice.
The HHS Office for Civil Rights released guidance on avoiding ransomware in July. The agency also clarified that such attacks constituted a HIPAA breach and should be reported to HHS as well as the patients affected and possibly the media.
Hacking
Cyber criminal hacking resulted in some major breaches in 2016:
- 21st Century Oncology based in Fort Myers reported a breach of 2.2 million patient records which resulted in a number of class action lawsuits
- Georgia’s Athens Orthopedic Clinic was breached in a common manner: an outside vendor’s login credentials were used to compromise the records of 200,000 patients
The Internet of Things
Cybersecurity experts have long expressed concern about the vulnerability of devices linked to the internet which have poor or no encryption. Johnson & Johnson warned that one of its insulin pumps was vulnerable to hacking because its communication system was unencrypted.
Steps Providers Can Use to Increase the Security of EHRs
- Review an EHR’s security before using it and choose the most secure system
- Train employees to recognize threats such as phishing attacks
- Back up the EHR offline and test the backup to make sure it is accessible in an emergency
- Limit access to the EHR and regularly review audit trails
- Follow HIPAA’s security requirements:
- Analyze the vulnerabilities of EHRs for security risk
- Encrypt data
- Keep the patches up to date
Following these measures will help to insure that your online medical records do not end up in the hands of cyber criminals.