Interconnectivity, more devices heighten security risk to EHRs

February 16, 2017

Physicians facing evolving cyberthreats need to evolve their security stance to avoid being weakest link in electronic ecosystem.

The federal Office for Civil Rights reported 24 healthcare cyber breaches January. The list includes not just big institutions but a number of smaller providers as well.

Health IT experts said such news should remind physicians that cyberattacks remain a serious threat – and one that many fail to address properly. They said many physicians still don’t understand that their electronic health record (EHR) systems are part of a large ecosystem where threats can come in anywhere and migrate throughout.

“Some doctors in these standalone practices have someone come in and do a firewall. That’s not going handle the threats,” said Michael Ebert, a partner at consulting firm KPMG who specializes in healthcare cybersecurity.

Meanwhile, cyberattacks are becoming more sophisticated every year, with hackers finding new ways to gain entry into systems, said Karen McMillen, CISSP, a security risk analyst with Asante, a nonprofit healthcare institution in Medford, Oregon.

For instance, she said hackers are starting to target medical devices that are networked with EHRs and other healthcare applications to gain entry into those systems. They’re increasingly going after smartphones, too.

Small practices might think they’re immune, being too small to offer much to hackers, McMillen said. But hackers actually see them as good targets, thinking (often correctly) that their security is weaker than bigger institutions.

Ebert said physicians should have software that: segregates levels of access to their EHRs to ensure only authorized personnel can access health records; monitors and reports on who accesses records; and encrypts data in transit and at rest.

Ebert said most physicians also need to boost their processes as well as their technology to guard against evolving cyberthreats. They need policies that require staff to regularly change their passwords and training to adequately prevent phishing attacks (which remain a significant entry point into systems for hackers).

Next: Taking extra steps

 

Taking extra steps

McMillen, a member of the Information Systems Security Association (ISSA) Healthcare Special Interest Group, pointed to additional technologies that can help counteract some of the newer threats.

She recommends software that prevents USB drives from being used (which is one way data can be stolen and malware introduced); mobile device management (MDM) software that secures mobile devices by encrypting data and allowing an administrator to remotely remove all data from lost or stolen devices; and secure platforms that allow for encrypted texting and data sharing among physicians, staff, EHRs and other applications.

She also cited cloud-based EHRs as a good option to consider, as cloud providers have more resources to focus on security than any one business does.

Similarly, Ebert said just as larger regional healthcare systems have started to offer EHR services to area physician practices, some are extending such services to include cybersecurity – a service that can bring a level of expertise that most physician groups can’t afford on their own.

He also said physicians should review the cybersecurity measures taken by partners, such as labs, to ensure they, too, have strong enough protocols in place.

Additionally, McMillen said physicians should document their security measures, first, to ensure that they’re being followed and, second, to prove that they took adequate steps if a breach occurs.

“Documentation isn’t just writing it down,” she explained. “Some of this documentation happens automatically, such as [records] backup that’s documented electronically. That can demonstrate compliance.”