Electronic Health Records (EHRs) and Electronic Medical Records (EMRs) contain a massive amount of sensitive information about a patient’s identity, medical health, and medical history. And while these electronic records allow physicians, healthcare professionals, and insurance companies to share information — a process that makes it easier to provide cross-coverage care and bill insurance — their sensitive and patient-care-centered content makes them a primary target for a variety of security threats and vulnerabilities, including these 5 EHR cybersecurity threats:
1. Phishing Attacks
Phishing attacks often come through email in an attempt to lure the user to click a link and reveal login credentials and/or they will deposit some kind of malware. Healthcare professionals must be taught how to identify phishing attacks, but keep in mind that these threats are becoming more sophisticated when it comes to EHRs. Protect your EHR from phishing attacks by:
- Educating all healthcare professionals on what to look for and what to avoid.
- Being aware that emails that seem to come from a company or service your healthcare team commonly works with, may be a phishing scam.
- Not clicking links within an email that’s either mismatched or has a Top-Level Domain (TLD) (the last segment of the domain name after the dot) associated with suspicious sites.
- Physicians should closely examine any EHR file-share requests before sending anything. Make sure it’s a verified healthcare professional on the other end.
2. Malware and Ransomware
Malware can enter a healthcare system’s IT network in a variety of ways — via downloads, phishing attacks, software vulnerabilities, through encrypted traffic, and more. How each type of malware attack effects the healthcare system, however, can vary from stealing data and information all the way to harming host computers and networks.
Ransomware, a type of malware, does something different — it locks users out of their computer or system while demanding payment (ransom) for regained access to data, information, and files. In the hospital or healthcare environment, this means access to EHRs is locked until payment is made. This is particularly dangerous for healthcare facilities, hospitals, and those who use EHRs or EMRs, because these facilities rely on up-to-date information in order to provide patient care. This need for up-to-date information, the amount of personal patient data, and the fact that hospitals tend to be quick to pay ransoms to regain access, however, are what make hospitals and clinics major ransomware targets. You can see how ransomware has become a major IT problem in healthcare by these top 10 healthcare data breaches of 2017, the 2017 WannaCry ransomware virus, and these healthcare ransomware attacks of 2016.
3. Encryption Blind Spots
Data encryption helps protect data as it transfers between on-site users and external cloud applications — something especially useful when it comes to securing an EHR. Unfortunately, however, blind spots in encrypted traffic have become an IT healthcare threat, as hackers are now using these encrypted blind spots to hide, avoid detection, and execute their targeted attack. This makes it harder for security tools to monitor and detect EHR or EMR breaches, hospital network breaches, and more, but encrypted data can be secured with 1.) security measures that monitor encrypted traffic to locate blind spots or suspicious behavior and 2.) decrypting and inspecting suspicious and malicious traffic, while letting known and good traffic pass through in its encrypted state. This is especially important for hospital IT teams and those working to protect healthcare data, patient privacy, and personally identifiable information (PII), because this selective decryption and inspection method of network traffic ensures that data privacy and data compliance are upheld.
4. Cloud Threats
As more healthcare organizations turn to the Cloud to improve patient care and collaborative efforts, it’s becoming increasingly important to ensure that private data is secure and that HIPAA compliance is being met. Using the Cloud for healthcare data doesn’t have to become an IT nightmare — it does mean that hospital IT teams and all connected healthcare IT partners must be on the same page with:
- Maintaining all HIPAA compliance requirements.
- Understanding what information is in the Cloud.
- Allowing no unnecessary or unrestricted access.
- Creating and maintaining a well-defined and understood cloud-use process.
- Implementing strong data encryption to ensure data is protected as it moves from on-site networks to the Cloud, or while it’s stored and processed in cloud applications. (This may mean replacing healthcare and patient data with an encrypted or tokenized value so that if outside access to the Cloud occurs, data becomes meaningless. Do not share encryption keys or token vaults with third parties.)
- Using Cloud Access Security Broker (CASB) solutions to act as security and compliance policy enforcement points between cloud service providers and the hospital staff. Logged interactions may help meet healthcare IT security audit requirements, such as HIPAA.
- Selecting reliable IT partners and vendors that take the necessary steps to reduce risk.
One of the biggest threats to healthcare IT security is the staff of hospitals and other healthcare facilities. It all comes down to cybersecurity education — do all staff and employees know how to spot and avoid phishing attacks or ransomware attacks? They should! Make sure your healthcare organization has a cybersecurity strategy and policy that’s not only well understood, but followed and enforced. That means:
- Educating all healthcare partners and staff on healthcare cybersecurity best practices.
- Enhancing administrative controls.
- Monitoring physical and system access.
- Creating workstation usage policies, including privacy filters and workstation capabilities.
- Auditing and monitoring system users — where are your weaknesses, are there any attempts at breaches, how often will you regularly audit all authorized users, and how will you punish those not following compliance guidelines?
- Employing device and media controls, including how data and hardware that held data is disposed of, reused, and backed up.
- Applying data encryption.
Protect Healthcare Data
As the healthcare world continues to transition to a paperless system, it’s more important than ever that healthcare data is secure and backed up. Start implementing your healthcare cybersecurity strategy by educating your organization and contacting Integracon for more information on how to protect your healthcare data, today.