HHS Threat Brief: Electronic Health Records

Feb. 23, 2022
The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center recently issued a threat brief about EHRs—in 2021, the average cost of a data breach for the healthcare industry was $9.23 million

On Feb. 17, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center issued a threat brief about electronic health records (EHRs). According to the brief, stolen healthcare data is the most valuable—in 2021, the average total cost of a data breach for the healthcare industry was $9.23 million.

The brief explains the benefits of using EHRs, including comprehensive patient-history records, shareability of patient data, better quality of care, and convenience. The brief also goes on to explain the risks, including user-related issues, financial issues, design flaws, security and privacy issues, lost or destroyed data, and the potential to be hacked.

“EMR/EHRs are valuable to cyber attackers because of the Protected Health Information (PHI) it contains and the profit they can make on the dark web or black market,” the brief continues. PHI can include names, dates of birth, Social Security numbers, account numbers, email addresses, internet protocol (IP) addresses, and more.

The brief states that “In 2020, at least 2,354 U.S. government, healthcare facilities, and schools were impacted by a significant increase in ransomware. The cyberattacks caused significant disruption across the healthcare industry.”

The brief adds that the top threats against EHRs are phishing attacks, malware and ransomware attacks, encryption blind spots, cloud threats, and employees. Forty million patient records were compromised in 2021.

Moreover, “HIPAA developed four tiers of penalties for failure to protect PHI:

  • First Tier: $100-$50K per incident (up to $1.5M)
  • Second Tier: $1,000-$50K (up to $1.5M)
  • Third Tier: $10,000-$50,000 (up to $1.5M) per incident
  • Fourth Tier: at least $50,000 (up to $1.5M) per incident”

That said, “Here are a few strategies that healthcare leaders should consider to strengthen their organization’s cyber posture:

  • Evaluate risk before an attack
  • Use VPN with multifactor authentication (MFA)
  • Develop an endpoint hardening strategy
  • Endpoint Detection and Response (EDR)
  • Protect emails and patient health records
  • Engage Cyber Threat Hunters
  • Conduct red team / blue team exercises
  • Moving beyond prevention”

Sponsored Recommendations

Discover how identity data impacts patient safety, experience, and your system’s bottom line — and how Banner Health built a compelling case for change.
Streamline waste disposal, simplify compliance, and reduce unnecessary costs. This guide shows how MedPro helps practices cut confusion, not corners, while supporting over 40,...
Use this guided checklist to pressure-test your current setup. Spot buried fees, pickup inconsistencies, and compliance gaps that could be holding your facility back—and fix them...
See how MedPro helps streamline OSHA and HIPAA compliance across facilities—training, documentation, audit support, and a client advocate all built in to help your team stay ready...