EHR vendors: The next target for healthcare hackers?

On June 10th, the firm Medical Informatics Engineering informed customers that it was the victim of a cyber-attack that resulted in the theft of data. The firm is the maker of NoMoreClipboard, a web-based electronic health record (EHR) platform that allows doctors' offices to manage patient information via a web-based portal.

Attackers made off with protected health information on patients of "certain Medical Informatics Engineering clients." Data including the patients' names, mailing addresses, email addresses and dates of birth were compromised. For some unstated number of patients, additional information stolen included Social Security Numbers, lab results, dictated reports, and medical conditions.

The hack follows similar advanced attacks of healthcare firms Community Health Systems, Premera and Anthem. It's no secret that the healthcare industry is a gold mine of extremely valuable data for hackers. Physicians' offices, emergency rooms and healthcare insurers hold a treasure trove of personal, sensitive information – just waiting for the next hacker to intrude.

As attacks and the artists behind them get more sophisticated, EHR vendors must be prepared for the repercussions, especially following the case of Medical Informatics Engineering. In fact, 2016 may be the year when electronic health record vendors become the next major target.

The Motive Behind EHR
Health data hackers are moving upstream: from hospital networks or insurers who might represent patients in a particular geographic area, to now, an EHR service provider with customers all over the country. The reality is that thieves bent on identity theft, account hijacking or sophisticated spear phishing and social engineering attacks choose health firms because the personal data can easily be used for monetary gain.

Web-based EHR systems easily allow them to access data from hundreds or thousands of health networks in one fell swoop. Additionally, like other similar applications, it's likely that web-based EHR systems suffer from many common vulnerabilities that might give attackers access to backend systems and data – from SQL injections to cross site scripting.

Additionally, to complicate the risk, the Affordable Care Act has created significant incentives for doctors' offices to embrace EHR systems, as these technology systems are known to replace inefficient, paper-based medical records systems. Most web-based EHR platforms allow physicians to reap the advantages of these efficient tools without needing to invest in hardware, software and IT staff to manage them – which is a big bonus in the healthcare industry, where the margins are small.

To remain secure, healthcare organizations using EHR platforms should consider implementing the following precautions while using the web-based portals:

1. Understand the Risk
Both EHR firms and physicians' offices who use these services should take note that sophisticated attackers are on to them, and that EHR application servers are now squarely in the crosshairs of these malicious actors. The first step in realizing the risk always begins with cybersecurity education, throughout the entire healthcare firm. In addition to regular training sessions, be sure to conduct EHR risk assessments continually to ensure the level of risk is kept at a minimum.

2. Recognize the Valuable Data
All too often, healthcare firms and the EHR providers they work with, have no idea where the most valuable data is stored and who has access to it. All parties involved must know what the sensitive data is if they want to prevent it from being stolen. Simply identifying the crown jewels can feel like a daunting task, but it doesn't have to be. Start with your most critical data — the data you know a hacker is after. This can be in the form of financial and personal data, but also spans to include lab tests, diagnosis reports, and other medical-based information. Get that identified first and then move to the next organizational function.

3. Protect the Data
This is going to sound very basic, but once sensitive data is identified, the immediate next step is to label it. Mark all critical assets as "internal only" or "confidential." Whether the document is digital or paper-based, this is the quickest and easiest protection method. It provides employees with a visual cue to treat the document with care, and internal staff are almost always targeted by hackers. There are also additional technologies that you can employ to ensure your sensitive data stays safe. Data at rest discovery tools can be utilized to help minimize the amount of stored sensitive data and contain it to protected locations. In addition, vendors should consider encryption, network security, persistent document tagging and policy-driven data protection – these approaches ensure data flows freely, but in a secure way.

4. Be Prepared for a Breach
Understand that a data breach can happen, so it's critical to have an incident response plan at the ready. Following a detailed plan to avoid a data breach should be a healthcare provider's first priority; however, in the event of a breach, have a disaster recovery plan prepared to minimize the damage.

Immediately following a breach, healthcare professionals should identify the information compromised, isolate the data and decide how to inform the patients impacted by the event. Altering the method to avoid future data breaches should be next priority, including thoroughly testing the EHR system.

Overall, as with healthcare companies and hospitals, the focus should be on removing "low hanging fruit" that can lead to compromises and putting in robust detection tools to shorten the window of exposure in the event of a compromise from weeks to days, hours or – ideally – minutes. The less time attackers have on the network, the less damage they can do to an organization.

By Mark Menke, Principal Architect, Network and Cloud Security, Digital Guardian.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars