HHS alert: take a proactive approach to safeguarding EHR

Featured image

Share this article

Hands interacting with phones with a secure lock overlay in green light

The U.S. Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center recently released an alert about electronic health records (EHR).

According to the threat brief, healthcare covered entities must use a proactive approach to protecting EHR and electronic medical records (EMR).

RELATED: EMR or EHR? What’s the difference?

This is because EHR contain protected health information (PHI), valuable to cyberattackers worldwide. And why an offense (combined with a good defense) keeps PHI safe from an unsecured data breach.

SEE ALSO: HIPAA compliant email

What are EMRs and EHRs?

EMR are paper records converted into digital files. They could include such information as vaccination logs, medical charts, and other printed documents.

SEE ALSO: What is a personal health record?

An EHR contains a patient’s EMR as well as a wide variety of information beyond medical data. This could include demographics, billing information, and even personal preferences.

In a sense, an EHR is patient-centered, creating a complete record of a patient’s medical lifespan.

And such records are increasingly becoming more accessible to the patients themselves. We saw this push for openness under the HIPAA Right of Access Initiative launched in 2019. In fact, HHS’ Office for Civil Rights has fined several organizations for violating HIPAA and right of access.

But with this increased accessibility came an increased vulnerability to cyberattacks.

EHR: more vulnerable and attractive

The HHS brief lists 18 identifiers within an EHR that cybercriminals find most appealing:

Names Dates Telephone numbers Geographic data FAX numbers Social Security numbers
Email addresses Medical record numbers Account numbers Health plan beneficiary numbers Certificate/license numbers Vehicle identifiers and serial numbers including license plates
Web URLs Device identifiers and serial numbers IP addresses Full face photos and comparable images Biometric identifiers Any unique identifying numbers or codes

SEE ALSO: Personally identifiable information: HIPAA compliance key facts

HHS calls these identifiers appealing largely because of their value on the black market. Threat actors want access to EHR (and PHI) for extortion, fraud, identity theft, laundering, hacktivism/political agendas, and/or sabotage.

RELATED: What is a nation-state threat actor?

To add to this, healthcare organizations are more likely to pay a ransom rather than risk shutdown or exposure. Cyberattackers know and take advantage of these providers who need access to their systems for proper patient care.

The more profitable, the more vulnerable, which of course means needing stronger cybersecurity protection.

Move beyond prevention

This is why HHS recommends “that healthcare leaders shift their focus by moving beyond a prevention strategy and creating a proactive preparedness plan.” And why, in the past two years, the U.S. government has taken a do-not-trust, offensive position against cybercriminals.

RELATED: What is zero trust security?

The HHS brief includes the following top threats that healthcare providers should consider:

Interspersed within, HHS also offers some general guidelines and helpful safeguards to implement.

Cybersecurity education

Healthcare organizations need to educate their employees about their policies and procedures. Moreover, they should provide general cybersecurity knowledge and anti-phishing training.

SEE ALSO: Why anti-phishing training isn’t enough

Why? Unknowledgeable and/or tired employees can easily cause a breach while some insider threats may be deliberate. Human error remains a top cybersecurity problem.

Threat hunting

According to HHS, threat hunting is “a proactive practice that finds threat actors or hackers who have infiltrated a network’s initial endpoint security defenses.”

RELATED: What is endpoint security?

HHS encourages a strong endpoint detection and response program. Threat hunting, therefore, should be considered a checks-and-balances system to ensure all endpoints remain secure.

General cybersecurity controls

A strong cybersecurity program must also utilize administrative, physical, and technological controls.

RELATED: Understanding and implementing HIPAA rules

HHS mentions several controls that could accompany proactive security techniques:

Appropriate measures become clear when an organization evaluates its needs. HHS mentions risk evaluation (i.e., a HIPAA risk assessment) before an attack as well as auditing.

Email and EHRs

Finally, HHS also cites the importance of email security. This is because every aspect of digital communications must be secure. And unfortunately, email is the most vulnerable threat vector.

Within the brief, HHS focuses on two aspects of email security: URL filtering and attachment sandboxing.

RELATED: What is URL sandboxing?

We at Paubox would also add the need for Zero Trust Email to check and double-check every email, every attachment, that enters an employee’s inbox.

HHS insists that a change in strategy “helps [healthcare organizations] understand vulnerabilities . . . and provides guidance needed.” Evaluating and securing all possible threats with a proactive strategy can only save an organization from future cyber headaches.

Try Paubox Email Suite Plus for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022