HHS Warns of Threats to Electronic Health Records

Healthcare entities should implement a more “proactive preparedness” approach for protecting their electronic health record/electronic medical record systems. Federal regulators warn that these are an increasingly attractive target for cyberattacks and other breaches.

The DHHS Health Sector Cybersecurity Coordination Center, in a threat brief issued Thursday, reinforced that EHRs/EMRs are profitable to cybercriminals. Largely due to the fact that these  records contain more and more valuable information than any other data source, including up to 18 identifiers like names, birthdates, account numbers, Social Security numbers, health plan information and biometric identifiers.

“It is recommended that healthcare leaders shift their focus by moving beyond a prevention strategy and creating a proactive preparedness plan,” HHS says.

This helps understand vulnerabilities in the current network landscape and provides guidance needed for a framework that will effectively identify and prevent attacks, which is key to protecting EMRs/EHRs, along with access to vital patient data.

Top Threats

The top threats to EMRs and EHRs include phishing attacks, ransomware and other malware attacks, encryption “blind spots,” cloud threats and employees, HHS says.

  • To better protect against phishing attacks, HHS recommends educating healthcare professionals, including training them to not click links within emails and to verify all requests to share EHR files before sending any data.
  • To help protect against malware attacks, HHS suggests that healthcare entities develop a strategy to combat ransomware that targets RDP and other internet-facing applications.
  • Consider adding a VPN with multifactor authentication to avoid exposing their RDP and prioritize patching for vulnerabilities in the VPN platform and other applications.

To safeguard against insider threats, a cybersecurity strategy and policy should include the following:

  • Educating all healthcare partners and staff about related risks,
  • Enhancing administrative controls,
  • Monitoring physical and system access;
  • Creating workstation usage policies,
  • Auditing and monitoring system users,
  • Employing device and media controls
  • Applying data encryption.

Although the escalation of ransomware has hit all sectors hard, it’s important to remember just how valuable PHI is to criminals and to take appropriate measures to safeguard patient information in an evolving threat landscape.

If you have questions about your IT security, call ITPAC today.