HHS Threat Brief: Electronic Health Records

Feb. 23, 2022
The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center recently issued a threat brief about EHRs—in 2021, the average cost of a data breach for the healthcare industry was $9.23 million

On Feb. 17, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a threat brief about electronic health records (EHRs). According to the brief, stolen healthcare data is the most valuable—in 2021, the average total cost of a data breach for the healthcare industry was $9.23 million.

The brief explains the benefits of using EHRs, including comprehensive patient-history records, shareability of patient data, better quality of care, and convenience. The brief also goes on to explain the risks, including user-related issues, financial issues, design flaws, security and privacy issues, lost or destroyed data, and the potential to be hacked.

“EMR/EHRs are valuable to cyber attackers because of the Protected Health Information (PHI) it contains and the profit they can make on the dark web or black market,” the brief continues. PHI can include names, dates of birth, Social Security numbers, account numbers, email addresses, internet protocol (IP) addresses, and more.

The brief states that “In 2020, at least 2,354 U.S. government, healthcare facilities, and schools were impacted by a significant increase in ransomware. The cyberattacks caused significant disruption across the healthcare industry.”

The brief adds that the top threats against EHRs are phishing attacks, malware and ransomware attacks, encryption blind spots, cloud threats, and employees. Forty million patient records were compromised in 2021.

Moreover, “HIPAA developed four tiers of penalties for failure to protect PHI:

  • First Tier: $100-$50K per incident (up to $1.5M)
  • Second Tier: $1,000-$50K (up to $1.5M)
  • Third Tier: $10,000-$50,000 (up to $1.5M) per incident
  • Fourth Tier: at least $50,000 (up to $1.5M) per incident”

That said, “Here are a few strategies that healthcare leaders should consider to strengthen their organization’s cyber posture:

  • Evaluate risk before an attack
  • Use VPN with multifactor authentication (MFA)
  • Develop an endpoint hardening strategy
  • Endpoint Detection and Response (EDR)
  • Protect emails and patient health records
  • Engage Cyber Threat Hunters
  • Conduct red team / blue team exercises
  • Moving beyond prevention”

Photo 95433616 © Benjawan Sittidech | Dreamstime.com
Photo 110251842 © Sherryvsmith | Dreamstime.com
Dreamstime Xl 110251842
Photo 127239865 © Awargula | Dreamstime.com
Dreamstime Xxl 127239865
Photo 134858757 © Airdone | Dreamstime.com
Dreamstime Xxl 134858757