HHS Threat Brief: Electronic Health Records

Feb. 23, 2022

The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center recently issued a threat brief about EHRs—in 2021, the average cost of a data breach for the healthcare industry was $9.23 million

Janette Wider

On Feb. 17, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a threat brief about electronic health records (EHRs). According to the brief, stolen healthcare data is the most valuable—in 2021, the average total cost of a data breach for the healthcare industry was $9.23 million.

The brief explains the benefits of using EHRs, including comprehensive patient-history records, shareability of patient data, better quality of care, and convenience. The brief also goes on to explain the risks, including user-related issues, financial issues, design flaws, security and privacy issues, lost or destroyed data, and the potential to be hacked.

“EMR/EHRs are valuable to cyber attackers because of the Protected Health Information (PHI) it contains and the profit they can make on the dark web or black market,” the brief continues. PHI can include names, dates of birth, Social Security numbers, account numbers, email addresses, internet protocol (IP) addresses, and more.

The brief states that “In 2020, at least 2,354 U.S. government, healthcare facilities, and schools were impacted by a significant increase in ransomware. The cyberattacks caused significant disruption across the healthcare industry.”

The brief adds that the top threats against EHRs are phishing attacks, malware and ransomware attacks, encryption blind spots, cloud threats, and employees. Forty million patient records were compromised in 2021.

Moreover, “HIPAA developed four tiers of penalties for failure to protect PHI: