On Feb. 17, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a threat brief about electronic health records (EHRs). According to the brief, stolen healthcare data is the most valuable—in 2021, the average total cost of a data breach for the healthcare industry was $9.23 million.
The brief explains the benefits of using EHRs, including comprehensive patient-history records, shareability of patient data, better quality of care, and convenience. The brief also goes on to explain the risks, including user-related issues, financial issues, design flaws, security and privacy issues, lost or destroyed data, and the potential to be hacked.
“EMR/EHRs are valuable to cyber attackers because of the Protected Health Information (PHI) it contains and the profit they can make on the dark web or black market,” the brief continues. PHI can include names, dates of birth, Social Security numbers, account numbers, email addresses, internet protocol (IP) addresses, and more.
The brief states that “In 2020, at least 2,354 U.S. government, healthcare facilities, and schools were impacted by a significant increase in ransomware. The cyberattacks caused significant disruption across the healthcare industry.”
The brief adds that the top threats against EHRs are phishing attacks, malware and ransomware attacks, encryption blind spots, cloud threats, and employees. Forty million patient records were compromised in 2021.
Moreover, “HIPAA developed four tiers of penalties for failure to protect PHI:
- First Tier: $100-$50K per incident (up to $1.5M)
- Second Tier: $1,000-$50K (up to $1.5M)
- Third Tier: $10,000-$50,000 (up to $1.5M) per incident
- Fourth Tier: at least $50,000 (up to $1.5M) per incident”
That said, “Here are a few strategies that healthcare leaders should consider to strengthen their organization’s cyber posture:
- Evaluate risk before an attack
- Use VPN with multifactor authentication (MFA)
- Develop an endpoint hardening strategy
- Endpoint Detection and Response (EDR)
- Protect emails and patient health records
- Engage Cyber Threat Hunters
- Conduct red team / blue team exercises
- Moving beyond prevention”