Top-5 cyber threats to EHR systems and how to deal with them

6 minute read
EMR security

Knowing the most common cyber threats is the first step towards preventing them.

Considering how many people have enrolled for vaccinations in the last year, it is not difficult to imagine how many new medical records have been created. Some people who only visit a doctor for emergency treatment have now joined the largest vaccination deployment in history. Although the vaccination process is not tied directly to a person’s primary care provider, the gathered information is no less valuable to a criminal. And given that hackers’ interest in electronic medical records (EMR) has increased in recent years, organizations should keep their eyes and ears open for possible new threats. As you may know, “forewarned is forearmed”. So, warning yourself with the knowledge of the most popular cyberattacks is the first step towards arming yourself with efficient EMR policy and procedures.

Phishing

Phishing is the simplest, yet highly dangerous, cyberattack on EMR security systems. According to the FBI, it is the most common crime type, with almost 250 thousand victims over the last year. The purpose of phishing is to gain access to confidential user data (logins and passwords). For that, criminals use a straightforward scheme. They send an email asking the user to follow a malicious link inside. Once the user does it, the attackers capture personal data and take control over the user’s account.

Although phishing attacks have been around for a long time, hundreds of people still fall for this trick and personally leak critical data to attackers.  Unfortunately, this situation continues year after year, primarily due to: 

  1. more sophisticated attacks
  2. insufficient user awareness 

For the EMR system, this means rapid penetration by third parties to secure patients’ data. To avoid this, organizations should use a set of preventive measures such as:

  • email filters 
  • browser alerts 
  • network access control 
  • multi-factor authentication 
  • security patch updates
  • data backup

Besides, organizations should pay more attention to users’ education and explain advanced types of phishing attacks to users. For example, the users must know they can be hacked through: 

  • shortened links
  • fake brand logos 
  • fake attachments
  • hypertext
  • password-protected documents
  • shared drive links
  • notifications
  • abnormal direct messages
  • etc.

Malware

Malicious software (malware) is an umbrella term for malware or code that harms a computer system. Malware penetrates a laptop, tablet, phone, or any other device and takes control over specific processes inside it.

The purpose of malware developers is to receive illegal profits. Although malware cannot damage the system hardware or network equipment, it can steal, encrypt or delete data, change computer functions or take control of them. In addition, it can monitor computer activity without the user’s knowledge.

Malware poses a serious threat to EHR (electronic healthcare records) security and can put a crimp in timely patient care. For example, imagine a doctor has an emergency case and needs to access the patient’s electronic record for vital background information. Unfortunately, the medical clinic’s system has been infected with malware which denies the doctor access and places the patient’s life in danger. Obviously,  EHR security breaches may cost lives. 

Given the above, organizations must take steps towards establishing medical records protection. The primary security measures should consist of reliable software developed under SSDLC standards. Currently, there is no shortage of virus writers who want to benefit from a software vulnerability. They search for flaws in software code or logic to gain entry to sensitive data and may threaten to damage a company’s reputation.

HIPAA standards require data to be encrypted when stored and transmitted. However, the document doesn’t specify the measures to be taken and technologies to be used. Given this, it is essential to hire experienced security engineers who can implement a robust encryption algorithm taking into account the project nature. This task requires a smart combination of creativity and deep knowledge of security implementation techniques that will allow the protection of data without affecting the user experience.

Encryption blind spots

The expansion of Internet technologies creates more privacy concerns among users; that is why 90% of the transmitted traffic is now encrypted. However, while global information encryption protects users’ interests, it creates an extra loophole for attackers. Malicious traffic is also being encrypted by hackers, impersonating legitimate traffic, so anti-virus programs fail to recognize it among white data flows, allowing the malware to seep through encryption blind spots.

To establish patient information security, EMR cybersecurity engineers must set up strong firewalls with enhanced traffic filtration. In addition, they should find a network security solution that will provide a more precise traffic check while maintaining high application performance.

The HIPAA compliance checklist requires data to be encrypted when stored and transmitted. However, the document doesn’t specify the exact measures to be taken and technologies to be used. Given this, it is essential to hire expert developers who can implement a robust encryption algorithm considering the project’s nature. This task requires a smart combination of creativity and deep knowledge of security implementation techniques to protect data without affecting the user experience.

Cloud leakage

Today, many organizations choose cloud-based infrastructure because of the quick access to IT resources and effortless scaling. However, moving to the cloud means placing the patient database on third-party servers and entrusting external companies with EMR security. This prospect may be terrifying for some companies as they fear losing control over critical information. However, the likelihood of unauthorized access to data in the cloud is no greater than that on local resources. Moreover, if you choose a reliable cloud provider and skilled cloud engineers, you will get more robust protection than in the local space.

Having said that, no cloud provider will give you a 100% guarantee against malicious intervention. Therefore, to increase the security of your healthcare records, you need to take the following steps:

  • be aware of the aspects of cloud security you are responsible for, rather than totally rely on the cloud provider
  • understand cloud architecture to avoid security vulnerabilities due to misconfiguration
  • disable unused ports and delete unnecessary processes and instances as they can lead to vulnerabilities
  • use sophisticated encryption techniques to establish EMR data privacy in storage and during transit
  • implement EHR security measures according to HIPAA EMR requirements 2022

Insiders

Probably, the most common threats to healthcare records are associated with hospital insiders. These include threats from employees, former employees, partners, contractors, etc. Data leakage can occur due to the malicious intent of people with direct access to medical records. But, more often than not, breaches occur due to users’ insufficient security education and negligence in following security protocols. 

To minimize human error, organizations must create a corporate culture focused on security and data protection. Staff must be made aware of potential security loopholes and also of their responsibility for data integrity. Establishing and maintaining a security culture is an ongoing process. It should cover all the aspects of the company activity to remove potential issues with electronic medical records. Here is what organizations can do to establish such a culture: 

  • develop a documented security policy that will describe the roles of employees, areas of responsibility, and an algorithm of actions in certain situations
  • conduct regular workshops and encourage employees to take courses on security issues
  • create user accounts with differentiated access to medical records
  • regularly change passwords to corporate resources
  • delete the accounts of employees who no longer work in the company
  • imitate hacker attacks and analyze the employees’ behavior

Summing up

Global digitalization enables more efficient data management but creates additional security threats and data leakage methods. For hospitals that store critical medical records, cybersecurity attacks are especially dangerous. They may cost patients’ lives, doctors’ good names, and the company’s reputation. To avoid this, organizations should analyze their systems for potential weaknesses and understand the dangers posed by hackers. Then, armed with this knowledge, they should take steps to prevent cybersecurity attacks and establish reliable EMR protection.

October 26, 2021