HHS Warns of EMR, EHR Security Risks

HHS's Health Sector Cybersecurity Coordination Center (HC3) warned of the electronic medical record (EMR) and electronic health record (EHR) security risks in a recent brief. EHRs and EMRs are top targets for healthcare cyberattacks.

Although they are often used interchangeably, HC3 noted that

"[a]n EMR allows the electronic entry, storage, and maintenance of digital medical data."

"EHR contains the patient's records from doctors and includes demographics, test results, medical history, history of present illness (HPI), and medications."

EMRs fall under EHRs and contain patient registration and billing information, appointment and scheduling information, and patient health data. Common EHR vendors include Epic, Cerner, and MEDITECH.

EHRs and EMRs have transformed healthcare delivery by providing extensive patient records, improving the quality of care, and making data more shareable and accessible. However, user errors and design flaws can transform EHRs and EMRs from a helpful tool to a security risk.

"EMR/EHRs are valuable to cyber attackers because of the Protected Health Information (PHI) it contains and the profit they can make on the dark web or black market,"

the brief stated.

As healthcare data breaches continue to increase, threat actors target EHRs with phishing attacks and ransomware.

HC3 urged healthcare organizations to educate employees and avoid clicking suspicious links to prevent phishing. In addition, physicians should verify EHR file-sharing requests prior to sending sensitive data.

"Data encryption protects and secures EMR/EHR data while it is being transferred between on-site users and external cloud applications,"

the brief continued.

"Blind spots in encrypted traffic could pose a threat to IT healthcare because threat actors or hackers are able to use encrypted blind spots to avoid detection, hide, and execute their targeted attack."

HC3 also noted the dangers of insider threats and the need to keep data secure when using cloud services.

To protect EMR and EHR data, HC3 recommended taking the following steps:

  • Evaluate risk before an attack
  • Use VPN with multifactor authentication (MFA)
  • Develop an endpoint hardening strategy
  • Endpoint Detection and Response (EDR)
  • Protect emails and patient health records
  • Engage Cyber Threat Hunters
  • Conduct red team/blue team exercises
  • Moving beyond prevention

Healthcare organizations should implement cyber incident response plans and technical safeguards to mitigate cyber risk.

"It is recommended that healthcare leaders shift their focus by moving beyond a prevention strategy and creating a proactive preparedness plan,"

HC3 concluded.

"This helps understand vulnerabilities in the current network landscape and provides guidance needed for framework that will be effective in identifying and preventing attacks, which is key to protecting EMRs/EHRs, along with access to vital patient data."