EMRs are prime targets for cybersecurity attacks due to the valuable and sensitive nature of the personal health information (PHI) they contain. An exploratory study in 2022 found that healthcare breaches, on average, cost more than those in other sectors, with each compromised record costing an organization up to $150.
The healthcare sector experiences the highest cost of data breaches, with costs reaching $7.13 million on average in 2020, reflecting the extensive damage that can result from these incidents. Furthermore, the predominance of human error in enabling breaches, particularly through phishing scams which have been identified as the leading cause of compromise, illustrates the vulnerability of EMRs to both unintentional insider threats and malicious external attacks.
The portion of breaches attributable to carelessness or negligence (73.1% of all affected records from unintentional factors) further indicates why EMRs are attractive targets; they not only hold valuable data but are also protected by systems that can be compromised through human error.
See also: What are EMRs?
The main areas of attack for EMR’s
Phishing scams
Phishing scams stand out as the most prominent threat to EMRs, contributing to the largest number of compromised patient records. The analysis indicates that phishing scams alone are responsible for compromising more EMR records on average than any other cybersecurity threat. These scams typically involve deceiving healthcare employees into divulging sensitive information or credentials, leading to unauthorized access to EMRs. The study's found that 66.02% of the records affected by unintentional factors were due to phishing, demonstrating the effectiveness of this tactic in exploiting human error within healthcare organizations.
Ransomware attacks
Following phishing, ransomware attacks are a prevalent method of targeting EMRs, with attackers encrypting data to demand ransom from healthcare organizations. The study points out that ransomware accounted for 3.38% of the records affected by unintentional factors.
Technical vulnerabilities and improper disclosure
Technical vulnerabilities, such as software bugs, coding improprieties, and insecure configurations, also pose risks to EMRs. These can lead to unauthorized access and exposure of PHI. An analysis categorizes incidents stemming from technical issues under "technical improper disclosure," which accounted for 1.74% of the records affected. These vulnerabilities are often exploited by cyber attackers to gain access to or leak sensitive information.
Cyberattacks and external hacking attempts
External attacks by cybercriminals, including hacking attempts, are another primary area of attack. Unlike phishing or ransomware, these attacks do not necessarily rely on enabling actions by internal actors but rather exploit technical vulnerabilities or deploy sophisticated techniques to breach healthcare systems. These attacks accounted for 21.32% of the records affected by malicious factors, demonstrating the constant threat posed by external adversaries.
Malicious insiders
Malicious actions by insiders, such as employees or associates with access to EMR systems, who intentionally breach data for personal gain, revenge, or other motives, represent a smaller threat. Malicious insiders were responsible for 3.68% of the records affected by hostile factors.
The global forecast for EMR attacks
Based on the HHS assessment of EMR’s susceptibility to cyber threats the global market for EMR and Electronic Health Records (EHR) is poised for substantial growth. This is reflected by projections indicating it will reach $38.5 billion by 2030. This expansion is created by advancements in patient engagement, integration, big data, and standardization efforts that address existing documentation challenges.
Notably, the future of EMRs/EHRs will witness enhancements in areas such as integration and interoperability, cloud computing, and the application of blockchain technology, which alone is expected to see its market in healthcare grow at a compound annual growth rate (CAGR) of 39.9%, reaching $5.8 billion by 2028.
Additionally, the adoption of robotic process automation in healthcare, valued at $2.9 billion in 2022, is anticipated to reach $6.2 billion by 2030, further streamlining processes within EMR systems. The incorporation of Internet of Things (IoT) devices, artificial intelligence (AI), and wearable technology, with the IoT healthcare market expected to grow at a CAGR of 21.41% to $960.2 billion by 2030 and the wearable medical tech market forecasted to expand at a CAGR of 23.7%, reaching $95.4 billion by 2028.
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What are EMRs?
EMRs are digital versions of patients' paper charts, containing medical and treatment histories within one practice.
Is there a difference between EMRs and EHRs?
Yes, there is a difference: EMRs are the digital records within a single practice, while EHRs are a more comprehensive record of the patient's overall health that can be shared across different healthcare settings.
Why do EMRs need to be HIPAA compliant?
EMRs need to be HIPAA compliant to protect patients' health information from unauthorized access and breaches.
Kirsten Peremore
