More than any other database containing sensitive information for a large quantity of people, electronic health records (EHRs) are an especially attractive target for hackers. The patient data they hold can be used for financial gain, as recent reports show that stolen healthcare databases are being sold on the deep web for as much as US$500,000.
But we’ve also seen a number of instances where large data breaches have occurred at the hands of state actors looking to collect data for espionage purposes.
No matter the reasoning behind the attacks, today’s healthcare organizations must take EHR security very seriously as data breaches increasingly become the norm across the industry.
Switching from paper-based medical records to electronic can save organizations money, improve efficiency, and lead to a more integrated healthcare industry. However, certain governmental bodies are also encouraging the usage of EHRs, like the Centers for Medicare and Medicaid Services (CMS). The CMS has an EHR Incentive Program that “provides incentive payments for certain healthcare providers to use EHR technology in ways that can positively impact patient care.”
These initiatives are primarily responsible for the rapid adoption of EHRs among physicians. Research shows that while less than 20 percent of office-based physicians used any type of EHR in 2001, the adoption of electronic health records has more than doubled in the last ten years alone. Data collected in 2015 now shows that nine out of every 10 office-based physicians use EHRs, and 78 percent use certified EHRs.
This technology is being leveraged for more than just housing records, however. The same data shows that 64 percent of physicians exchange messages with patients through EHRs. Additionally, 63 percent of patients can electronically view their records and another 41 percent can electronically download their healthcare files.
EHRs, wearables, and other digital healthcare devices do in fact make the lives of patients and physicians simpler by bringing medical attention to patients’ homes almost instantaneously. All of the interfaces used to make telemedicine possible also transmit sensitive patient data to the cloud, EHR databases, and other data storage locations.
While telemedicine makes the process of caring for remote or less mobile patients easier, it also greatly broadens the potential attack surface, and makes it easier to identify weaknesses and exploit them in order to gain access to “protected” health information. While new medical devices and network connectivity certainly benefit the healthcare industry, the stakes are too high for organizations to proceed down the relatively unknown road of digital healthcare without proper security solutions in place.
The rate at which EHR systems and capabilities are being implemented is simply not being matched in terms of protecting critical assets with cybersecurity solutions, leaving behind “low-hanging fruit” for attackers.
To bridge this gap, healthcare organizations must consider adopting comprehensive technology and threat intelligence strategies. A sound EHR security strategy should have measures in place to monitor, detect, respond to, and mitigate breaches that result from attacks. An EHR security solution needs to be able to, at a minimum, stall threats and halt attacks at each phase.
Internal segmentation firewalls (ISFWs) are just one of the available technologies that are beneficial in protecting EHR data. ISFWs fill the gaps in network security against internal threats by isolating and monitoring sensitive EHR data, and offer flexible architectures necessary to protect agile healthcare environments. Other solutions include secure access control, the encrypted transportation and storage of data, and ATP technologies designed to detect and prevent advanced threats that target EHR files and databases.
The healthcare industry has come a long way in terms of organizing, sharing, and enhancing medical records over the past few decades. While electronic health records are improving the lives of many, but organizations need to take the security of these records very seriously. As long as patient health data remains valuable and new avenues are opened for cybercriminals to find their way inside, healthcare will remain a popular target.
Let’s get a conversation going on Twitter! How is your organization responding to threats and breaches of EHRs?