Updated May 23, 2023

When Maria learned that her medical records had been breached and might be published on the internet for sale, she was devastated. She had been in treatment for cancer and depression and had kept much of it private, even from family members. She trusted her doctors and the hospital where she received treatment. They were reputable. What had gone wrong?

In Maria’s case, what went wrong was a cyberattack on the electronic health records (EHR) vendor used by the hospital. She was only one victim among thousands affected by this breach. Unfortunately, millions of individuals have had their records stolen or compromised this way, via healthcare cyber attacks and breaches, and the problem may be growing.

EHR Systems are Prevalent and Here to Stay

Electronic health records (EHR) systems have revolutionized recordkeeping for patient information but they also may be the Achilles heel for maintaining patient privacy. Closely related are electronic medical records (EMR) systems; healthcare providers commonly use both.

Note: Although the terms are often used interchangeably, EMR and EHR are slightly different by definition. HHS notes that “[a]n EMR allows the electronic entry, storage, and maintenance of digital medical data” while an “EHR contains the patient’s records from doctors and includes demographics, test results, medical history, history of present illness (HPI), and medications.” EHRs contain patient registration and billing information, appointment and scheduling information, and patient health data. Common EHR vendors include Epic, Cerner, and MEDITECH.

HHS Warns of EHR Cybersecurity Risks

The U.S. Department of Health and Human Services (HHS) recently published a new “threat brief” about the cybersecurity risks for EHRs and EMRs – Electronic Medical Records Still a Top Target for Cyber Threat Actors.

This is the second warning about the security risks of EHR and EMR systems from HHS – an earlier one was published in February, 2022. 

The latest brief reviews the prevalence of electronic records and explains their benefits; for convenience, efficiency, information-sharing and patient engagement. It also reviews the risks related to user error, financial issues and design flaws that create barriers to usage.

Top Threats Against EHR and EMR Systems

Noting that electronic medical records are a top target for cyber thieves, the brief emphasizes they also have privacy/security issues, are vulnerable to hacking, can lose or destroy data, and can contain inaccuracies. EHR downtime in the event of a breach threatens patient care.

The top seven threats to EHR and EMR systems include:

• Phishing attacks
• Fraud
• Data breaches and vulnerabilities
• Malware and ransomware attacks
• Encryption blind spots
• Cloud threats/Third-party risks
• Employees/Insider threats

Patient Data is Valuable to Criminals

According to the brief:

“EMRs/EHRs are valuable to cyber attackers because of the protected health information (PHI) information they contain and the profit they can make on the dark web or black market.”

And PHI “provides criminals with more information than any other breached record. Extortion, Fraud, Identity Theft, Data Laundering, Hacktivist/Promoting Political Agendas and Sabotage are some ways cyber attackers use this data for profit.”

Because EHR vendors often have multiple healthcare provider customers, they contain patient data from multiple organizations. One theft from one EHR vendor contains a treasure trove of valuable data from thousands of patients.

Recent EHR Cybersecurity Breaches

Numerous breaches of EHR systems have occurred in recent years. Some recent ones include:

• the BlackCat Ransomware group’s attack on the NextGen EHR system. The NextGen EHR vendor had over 2,500 healthcare provider customers, so the attack potentially compromised hundreds of thousands, or more, patient files. NextGen explained to the press that ultimately, no patient files were stolen, so the matter was resolved although we don’t know the full story.
• NOTE: a separate, later and much larger data breach was reported by NextGen on April 28, 2023, affecting 1.05 million patients.
• in May, 2022 a major EHR vendor, EyeCare Leaders, reported a breach that affected 1.5 million patients among at least twenty-four of its eye care provider customers nationwide.
• an Oregon health system, Asante, notified 8,800 patients that their records had been breached by a physician who viewed patient records in the EHR system for 8 1/2 years, without permission.

Cybersecurity Breach May Violate HIPAA

The HIPAA Breach Notification Rule requires covered entities and business associates to follow specific actions to manage and report the breach. Both covered entities and business associates (like EHR vendors) are required to have HIPAA policies and procedures in place and both are required to conduct an annual HIPAA Risk Analysis.

The HHS brief reviews the civil money penalties that may be imposed in the event of a HIPAA violation. Even when a breach occurs due to an outside attack, a healthcare provider or a business associate may have violated HIPAA if they failed to do enough to safeguard the security and privacy of patient information.

HHS Recommendations to Protect EHR Systems and Patient Data

Read the brief for a full explanation of each recommendation, but a summary is:

• Use a “zero trust security model” on your network
• Follow the Cybersecurity and Infrastructure Agency (CISA) measures to Protect Against Potential Critical Threats
• Generally, strengthen your organizational cyber posture

The easiest way to strengthen your cybersecurity is to follow HIPAA – use the Security Rule Checklist, conduct an annual HIPAA Risk Analysis and provide workforce cybersecurity training to prevent an EHR breach, or help you respond in case one happens. You can save enormous costs, valuable time, and prevent the loss of sensitive patient data.