Nearly all health care providers rely on electronic records systems to organize and store patient records. They are a relatively new tool, but in the past five years have become common throughout healthcare. Electronic Health Records (EHR) and Electronic Medical Records (EMR) systems are indispensable today. Not only do providers depend on them, but patients now use them to access their own records, obtain prescriptions, see test results and communicate with their providers. All good progress and a big change from only five years ago.
As with everything connected to the internet though, these electronic systems have risks. In fact, the U.S. Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) recently warned of EMR and EHR security risks in a brief because both are top targets for healthcare cyberattacks.
Although they are often used interchangeably, EMR and EHR are slightly different by definition. HC3 notes that “[a]n EMR allows the electronic entry, storage, and maintenance of digital medical data” while an “EHR contains the patient’s records from doctors and includes demographics, test results, medical history, history of present illness (HPI), and medications.” EHRs contain patient registration and billing information, appointment and scheduling information, and patient health data. Common EHR vendors include Epic, Cerner, and MEDITECH.
HC3 acknowledges that EMRs and EHRs have transformed healthcare providing convenience and accessibility for patients and providers alike, but user errors and design flaws make them vulnerable to attack. From the HC3 brief:
“EMR/EHRs are valuable to cyber attackers because of the Protected Health Information (PHI) it contains and the profit they can make on the dark web or black market.”
HC3 Advice Tracks the HIPAA Security Rule
The HIPAA Security Rule is a blueprint for defense against cybercrime. The HC3 analysis evaluates the current state of risks, and provides suggestions for how to reduce those risks. If you follow HIPAA carefully, you are most of the way there.
For example, HC3 urges healthcare organizations to help employees learn about cybersecurity awareness and avoid clicking suspicious links to prevent phishing. In addition, physicians need to verify EHR file-sharing requests before sending any patient data.
The HC3 brief also reminds us that data encryption protects and secures EMR/EHR data while it is being transmitted between on-site users and external cloud applications. Data encryption is a method to ensure transmission security – one of the technical safeguards required by the Security Rule. The brief notes:
“Blind spots in encrypted traffic could pose a threat to IT healthcare because threat actors or hackers are able to use encrypted blind spots to avoid detection, hide, and execute their targeted attack.”
HC3 also noted the dangers of insider threats and the need to keep data secure when using cloud services. Healthcare organizations are advised to “shift their focus by moving beyond a prevention strategy and creating a proactive preparedness plan.”
All of the recommendations from HC3 are already embedded in the Security Rule. If a covered entity is conducting an annual HIPPA Risk Analysis and following its Risk Management plan, each piece of advice will be implemented. The Security Rule Checklist in The HIPAA E-Tool® contains everything you need to know, with guidance about how to close your gaps in security, tailored to your organization.