EHR Information Security and Important Considerations for Your Practice
Building EHR Data Security Awareness and Resilience
When it comes to cybersecurity, there is good news and bad news for businesses in the healthcare industry. The good news is the technology used to safeguard against attacks is becoming more sophisticated. The bad news? The industry itself continues to be a top target for cybercriminals.
A recent article in the HIPAA Journal states that between 2009 and 2019 there have been 3,054 healthcare data breaches involving more than 500 records.1 At Modernizing Medicine®, we are proactive in our efforts to maintain EHR information security. That’s why we want to share some ways in which these threats have evolved— not only in the last 10 years, but since the start of the pandemic. We also want to arm you with a few important tips that can help your practice be more cybersecurity aware, and highlight some of the critical information that is outlined in our webinar, Building Resilience in Your Data Center and in the Cloud.
Cybersecurity and the Healthcare Industry
So, why is the healthcare industry, and by extension, the health IT industry, among the most targeted, especially during the COVID-19 pandemic? That’s best summed up in this quote, from a Becker’s Hospital Review article2:
“Several compounding factors have made healthcare organizations targets at this time; they are likely to pay the ransom to restore systems as quickly as possible and resume patient care. They also hold valuable information about COVID-19 research and vaccines.”
Ransomware, the method of locking up systems and data to extort money from healthcare organizations, is an avenue of attack that’s becoming more and more popular among cybercriminals.
However, if you went back and looked at the most common cybercrimes between 2009 and 2015, you’d probably find (as the HIPAA Journal did) that the “…loss or theft of healthcare records and electronic protected health information was more common. However, the policies and procedures that govern protected health information have evolved and the use of encryption is more wide-spread, which has helped to limit these types of attacks.”
Likely in response to improved security practices by health care providers, cybercriminals changed up their tactics as well – and now attacks that involve hacking and IT incidents dominate the breach reports.1
What will dominate these reports 5, 10, 15 years from now? Only time will tell. And that is probably one of the most challenging aspects of data security. Threats to EHR information security are always evolving, but thankfully, so are the defenses that can help protect sensitive information, and by extension, our businesses.
Top Information Security Threats
Before you can begin to defend yourself and your business against the threats that are out there, you have to understand them. You don’t want to get too close of course, but you do want to understand their nature and make sure everyone in your practice is well-versed on how to recognize suspicious activity.
Information Security and COVID-19
What did cybercriminals do when the U.S. was hit with a pandemic? They took advantage of the situation: the increase in the number of people working from home and public spaces, security teams that are working increasingly off-site, workforce reductions, overworked clinicians, the rise in virtual meeting platforms, and the rise in urgent electronic communications related to COVID-19 all left us potentially more vulnerable. The new normal, in many ways, represents another opportunity for cybercriminals to exploit potential weaknesses. So the next time you get an unsolicited email, a COVID-19 healthcare update, or a Zoom call invite from an unknown entity, follow the latest guidance and notify your security consultant or in-house team before you open it.
What Is Malware?
Malware is short for malicious software and according to Microsoft, this catch-all term refers to “any software designed to cause damage to a single computer, server or computer network, whether it’s a virus, spyware, et al.”
What Is Ransomware?
Ransomware is a type of malicious software (or malware) that infects your computer. It displays messages asking you to pay a ransom in order to restore access to your computer. This is ransomware in its simplest form, however, today’s hackers also may threaten to delete or make public all of your files if you do not pay the ransom.
The Anatomy of a Ransomware Attack
A hacker can gain access to your computer using many different methods. The most common is email. For example, you might receive an email that looks legitimate and contains a link. You click on the link and all of a sudden you have malicious software being installed on your computer. That malicious software then serves as a gateway for that hacker to come in and gain access to your computer. Once they have access, they can lock up (encrypt) every file the malware can “see” including those on network-adjacent file servers. Then you will be asked to pay a certain amount of money in order to unlock your files. These attacks happen not only on computers, but also on cell phones and other devices. Some hackers even impersonate law enforcement to coerce victims to give them money.
An Example of a Ransomware Attack
In the fall of 2020, one of the largest health care providers in the United States got attacked: Universal Health Services (UHS). This attack caused outages to computer systems, phone services, the Internet, and their data centers. And months later, UHS was still in the process of recovering from this attack, making it incredibly difficult to understand exactly how much financial impact this had on the company.
What is Phishing?
There are several different things that fall under the category of phishing. But in most cases, the attacker is pretending to be someone they’re not in order to win your trust falsely so that you’ll take an action (like clicking a link) that allows the malware to then install itself on your computer.
An Example of a Phishing Attack
One or more employees within an organization receive an email. The email is branded to make it look like it came from the organization and is signed by the HR department head. It announces a change to the company’s 401K benefit administration system and requires that employees log in to the system to update their social security numbers and other personal data. However, the link in the email goes to a false website crafted to look like the official website of the 401K benefit administrator. Employees are asked to provide their login credentials or personal information to sign in. Once the attacker has that information they can log in to the employees’ account at a later date and/or use their personal information to open credit cards, loans, etc.
What are Advanced Persistent Threats?
Advanced Persistent Threats (APTs) are a compound package of a couple of different things. These take the form of multiple different attack vectors and pieces of malware and exploit attempts all wrapped into a package so that it can be installed on a computer. Once installed, each item is unpacked and unwrapped to do its part.
What is Unauthorized Use or Disclosure?
This happens when someone in your organization discloses sensitive information to an unauthorized party. Sometimes the person at the organization does this intentionally. Other times, they are coerced or tricked by someone who is trying to steal the information and use it for nefarious purposes.
Top Cybersecurity Defenses
A great resource for getting the most up-to-date information on what you can do to protect your business can be found at the Cybersecurity and Infrastructure Security Agency.
Here are some basic tips and tactics that may help your practice build a stronger defense against these types of attacks:
-
Never underestimate the human element.
Here at Modernizing Medicine, we train our staff regularly, educating them on the threats that are out there so they know what to watch out for and can report anything that looks suspicious. You have to challenge what you see, even if you think it’s the CEO of the company. Says Jay Schwitzgebel, Chief Information Security Officer at Modernizing Medicine, “Stop and think: Why would the CEO of my company be asking me this? And should I click this link or should I pick up the phone and call her? Those things are important.”
-
Use strong authentication.
We’ve all been told to create strong passwords, but at the end of the day, many people choose convenience over security. They want a password they’ll remember. Often there are ways to bring these two elements together – strong passwords as well as ease of use. Often password managers can help you select strong passwords and make it easier to sign in. Multi-factor authentication also provides another layer of security.
-
Don’t use server-class computers to surf the web.
If infected, these computers provide a wealth of access to potential hackers. Instead, use a computer with restricted admin rights to mitigate possible damage that may come from an attack.
-
Restrict admin rights.
As we touched on in #3, it’s important to consider the level of access a user is permitted to have on their computer. Denying most users administrator-level privileges on their computer and granting them regular user access levels instead, could possibly help contain a cyber attack.
-
Make sure you’re running the latest version of your applications and software.
When Microsoft or some other software vendor releases security patches, they need to be installed. The longer you go without updating your software, the more vulnerable you become. And keep in mind that when your software reaches end-of-life (as Windows 2008 has) no more security patches will be available, potentially putting you at greater risk.
-
Keep your backups offline.
Doing regular backups of your data and keeping your backups offline on portable media or in a portion of your network that is isolated from the rest of your network is important. “The first thing ransomware goes after is your backups. It knows the file structures, the suffix on your files, and if it can find your backups online, it will encrypt those first,” explains Schwitzgebel.
-
Ensure that the ports or “unused windows” in an un-hardened system are closed.
An un-hardened system is one that hasn’t been fully configured or updated according to best practice security rules and standards that remove unnecessary applications and services. These systems are more open and vulnerable to cybersecurity attacks. For more information, talk to your security contact or staff.
Comparing Your Options: Cloud vs On-Premise Server
There are certainly some pros and cons of maintaining your critical business systems and applications in a local data center, in your direct control versus outsourcing some, most, or all of your critical data and systems in a cloud-hosted model.
One thing to remember, however, is that if a virus infects your on-site data center, that virus has the potential to spread to your email server, your EHR system, your file server and other key elements of your IT infrastructure. In this environment, it can be more difficult to contain the spread of a virus, whereas a cloud-hosted environment is naturally more compartmentalized or isolated from your end-user computers. This means there may be less opportunity for malware to spread from end-user computers to your more critical infrastructure.
Comparing Your Options: Cloud vs On-Premise Server
This chart provides a detailed analysis of the pros and cons of storing your data in a cloud-hosted environment versus an on-premise server.
Cloud-Based EHR Pros | Cloud-Based EHR Cons |
---|---|
Natural compartmentalization of network assets/services | Reduction in direct control |
Shared benefit of cloud provider’s economies of scale | Dependence on a third party |
Shared responsibility (but not ultimate accountability) for IT and security maintenance and operations with cloud providers | Reduced visibility into the maturity of the cloud provider’s internal controls |
Pooled benefit of multiple customers forming a large customer base for cloud provider investments in state of the art technologies and controls | Migration of sensitive data outside of the traditional network fortress |
Our Approach to Security
At Modernizing Medicine we take EHR information security seriously. We practice what we preach by doing regular backups, updating patches, conducting regular employee training, submitting to penetration testing, using restricted admin rights and providing 24/7 managed security operations.
1 Healthcare Data Breach Statistics, HIPAA Journal, 02/18/2020.
2 ‘It’s not a good week for healthcare’: Health System IT Execs React to Recent Ransomware Attacks, Beckers Health IT, 10/3/2020.