The U.S. Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center recently released an alert about electronic health records (EHR).
According to the threat brief, healthcare covered entities must use a proactive approach to protecting EHR and electronic medical records (EMR).
RELATED: EMR or EHR? What’s the difference?
SEE ALSO: HIPAA compliant email
What are EMRs and EHRs?
EMR are paper records converted into digital files. They could include such information as vaccination logs, medical charts, and other printed documents.
SEE ALSO: What is a personal health record?
An EHR contains a patient’s EMR as well as a wide variety of information beyond medical data. This could include demographics, billing information, and even personal preferences.
In a sense, an EHR is patient-centered, creating a complete record of a patient’s medical lifespan.
And such records are increasingly becoming more accessible to the patients themselves. We saw this push for openness under the HIPAA Right of Access Initiative launched in 2019. In fact, HHS’ Office for Civil Rights has fined several organizations for violating HIPAA and right of access.
But with this increased accessibility came an increased vulnerability to cyberattacks.
EHR: more vulnerable and attractive
The HHS brief lists 18 identifiers within an EHR that cybercriminals find most appealing:
|Names||Dates||Telephone numbers||Geographic data||FAX numbers||Social Security numbers|
|Email addresses||Medical record numbers||Account numbers||Health plan beneficiary numbers||Certificate/license numbers||Vehicle identifiers and serial numbers including license plates|
|Web URLs||Device identifiers and serial numbers||IP addresses||Full face photos and comparable images||Biometric identifiers||Any unique identifying numbers or codes|
HHS calls these identifiers appealing largely because of their value on the black market. Threat actors want access to EHR (and PHI) for extortion, fraud, identity theft, laundering, hacktivism/political agendas, and/or sabotage.
RELATED: What is a nation-state threat actor?
To add to this, healthcare organizations are more likely to pay a ransom rather than risk shutdown or exposure. Cyberattackers know and take advantage of these providers who need access to their systems for proper patient care.
The more profitable, the more vulnerable, which of course means needing stronger cybersecurity protection.
Move beyond prevention
This is why HHS recommends “that healthcare leaders shift their focus by moving beyond a prevention strategy and creating a proactive preparedness plan.” And why, in the past two years, the U.S. government has taken a do-not-trust, offensive position against cybercriminals.
RELATED: What is zero trust security?
The HHS brief includes the following top threats that healthcare providers should consider:
Interspersed within, HHS also offers some general guidelines and helpful safeguards to implement.
Healthcare organizations need to educate their employees about their policies and procedures. Moreover, they should provide general cybersecurity knowledge and anti-phishing training.
SEE ALSO: Why anti-phishing training isn’t enough
According to HHS, threat hunting is “a proactive practice that finds threat actors or hackers who have infiltrated a network’s initial endpoint security defenses.”
RELATED: What is endpoint security?
HHS encourages a strong endpoint detection and response program. Threat hunting, therefore, should be considered a checks-and-balances system to ensure all endpoints remain secure.
General cybersecurity controls
A strong cybersecurity program must also utilize administrative, physical, and technological controls.
HHS mentions several controls that could accompany proactive security techniques:
- Virtual private networks (VPNs)
- Multi-factor authentication (MFA)
- Encryption in transit (as well as at rest)
- Cloud access security broker technology
- Patching and updating (e.g., legacy systems)
- Antivirus software and firewalls
- Remote desktop protocols
Appropriate measures become clear when an organization evaluates its needs. HHS mentions risk evaluation (i.e., a HIPAA risk assessment) before an attack as well as auditing.
Email and EHRs
Within the brief, HHS focuses on two aspects of email security: URL filtering and attachment sandboxing.
RELATED: What is URL sandboxing?
We at Paubox would also add the need for Zero Trust Email to check and double-check every email, every attachment, that enters an employee’s inbox.
HHS insists that a change in strategy “helps [healthcare organizations] understand vulnerabilities . . . and provides guidance needed.” Evaluating and securing all possible threats with a proactive strategy can only save an organization from future cyber headaches.