2016: The Year of Increased Risk for EHRs

MarkMenkeBy Mark Menke, Chief Technology Officer of Network DLP, Digital Guardian
Twitter: @DigitalGuardian

Last year, we witnessed a number of data breaches occur within hospital networks, health insurers, physicians’ offices, and much more. In fact, Community Health Systems, Premera and Anthem were just some of the bigger names who made cybersecurity headlines in 2015, resulting in more than 94 million records exposed. Attacks ranged from simple, employee-targeted breaches, to more complex methods carried out by sophisticated hackers.

It’s no secret – hackers are drawn to industries that hold valuable, sensitive and extremely personal data. Therefore, the healthcare industry has been a main target for quite some time now, with its treasure trove of private information like mailing addresses, family histories, medical conditions, social security numbers and much more.

But with attacks becoming more sophisticated and multi-faceted in nature, it’s time to take a closer look at the healthcare industry, specifically electronic health record (EHR) providers.

A Recent EHR Scare
In June, Medical Informatics Engineering informed clients that it suffered a cyber-attack that resulted in the theft of data. The medical firm is the maker of NoMoreClipboard, a web-based EHR platform that allows physicians’ offices to manage patient information via a web-based portal.

Some of the stolen information hackers made off with included patients’ names, mailing addresses, email addresses and dates of birth. For some unstated number of patients, additional information stolen included Social Security Numbers, lab results and dictated reports.

If healthcare firms are going virtual by partnering with EHR vendors, they must be prepared for the potential security risks, especially following the case of Medical Informatics Engineering. If not, then 2016 may very well be the year when EHR vendors become the next major target.

Why EHR?
Hackers are moving upstream: from hospital networks who represent patients in a specific geographic area, to now, an EHR provider with customers all over the country. Web-based EHR systems easily allow attackers to access data from hundreds or thousands of health networks in one simple swoop. Making matters worse, like other similar applications, it’s likely that web-based EHR systems suffer from many common vulnerabilities that might give hackers access to backend systems and data – from SQL injections to cross site scripting.

Additionally, to complicate the risk, the Affordable Care Act has created significant incentives for physicians’ practices to embrace EHR systems, as these technology systems are known to replace inefficient, paper-based medical records systems. Today, web-based EHR platforms allow physicians to reap the advantages of these efficient tools without needing to invest in hardware, software or IT staff to manage them. While this is a big bonus in healthcare, where the margins are small, it is also a massive drawback for cybersecurity.

[rosterslider id=’2′]

Protecting your Practice
To remain secure, healthcare organizations using EHR platforms should consider implementing the following precautions, to properly safeguard their practice against the next threat:

1. Recognize the Imminent Risk
Awareness is the first step in any cybersecurity process. Both EHR providers and the healthcare firms who use these services should understand the valuable data they hold, and that the hackers are after it. Additionally, they should realize that with a rise in sophistication from attackers, EHR application servers are now squarely in the crosshairs of the most malicious actors. Educate the entire healthcare firm on the risk, from the C-suite down to the receptionist. In addition to regular training sessions, be sure to conduct EHR risk assessments continually to ensure the level of risk is kept at a minimum.

2. Find and Label the Valuable Data
All too often, healthcare firms, and the EHR providers they work with, have no idea where the most valuable data is stored and who has access to it. All parties involved must know what the sensitive data is if they want to prevent it from being stolen.

Identifying the crown jewels can sound like a daunting, time-consuming task. The good news is, it doesn’t have to be. Start with your most sensitive data — the information you know a hacker is after. This can be in the form of financial and personal data, but also spans to include lab tests, diagnosis reports, and other medical-based information. Identify those crown jewels, and then move to the next organizational function.

Once sensitive data is identified and labeled, label it. Mark all critical assets as “internal only” or “confidential.” Whether the document is digital or paper-based, this is the quickest and easiest protection method. It provides employees with a visual cue to treat the document with care, and internal staff are almost always targeted by hackers.

3. Protect the Labeled Data with Technology
There are various technologies that you can employ to ensure your sensitive data stays safe. From encryption to digital rights management, from persistent document tagging to policy-driven data protection, there are several approaches to ensure data flows freely, but only on a need-to-know basis through proper technologies.

4. Have a Plan if Data is Stolen
Even with steps one through three in place, a data breach can still happen, so it’s critical to have an incident response plan at the ready. Following a detailed plan to avoid a data breach should be a healthcare provider’s first priority; however, in the event of a breach, have a disaster recovery plan prepared to minimize the damage.

Immediately following a breach, healthcare professionals should identify the information compromised, isolate the data and decide how to inform the patients impacted by the event. Altering the method to avoid future data breaches should be next priority, including thoroughly testing the EHR system.

As more healthcare organizations look to go digital, and work with EHR providers to establish more efficient work flows, cybersecurity should still remain a top priority. Considering the wealth of sensitive patient information a healthcare firm stores, it’s very likely that hackers will target the vulnerable root of the problem – EHR platforms.

About the Author: Mark Menke is the Chief Technology Officer of Network DLP at Digital Guardian, a data protection firm. Mark has over 20 years of experience in various roles from ASIC Design to IT and Security Consulting roles. Mark holds a Bachelor of Science degree in Electrical Engineering from Montana State University.

[rosterslider id=’3′]