Interconnectivity, more devices heighten security risk to EHRs
The federal Office for Civil Rights reported 24 healthcare cyber breaches January. The list includes not just big institutions but a number of smaller providers as well.
Health IT experts said such news should remind physicians that cyberattacks remain a serious threat – and one that many fail to address properly. They said many physicians still don’t understand that their electronic health record (EHR) systems are part of a large ecosystem where threats can come in anywhere and migrate throughout.
“Some doctors in these standalone practices have someone come in and do a firewall. That’s not going handle the threats,” said Michael Ebert, a partner at consulting firm KPMG who specializes in healthcare cybersecurity.
Meanwhile, cyberattacks are becoming more sophisticated every year, with hackers finding new ways to gain entry into systems, said Karen McMillen, CISSP, a security risk analyst with Asante, a nonprofit healthcare institution in Medford, Oregon.
For instance, she said hackers are starting to target medical devices that are networked with EHRs and other healthcare applications to gain entry into those systems. They’re increasingly going after smartphones, too.
Small practices might think they’re immune, being too small to offer much to hackers, McMillen said. But hackers actually see them as good targets, thinking (often correctly) that their security is weaker than bigger institutions.
Ebert said physicians should have software that: segregates levels of access to their EHRs to ensure only authorized personnel can access health records; monitors and reports on who accesses records; and encrypts data in transit and at rest.
Ebert said most physicians also need to boost their processes as well as their technology to guard against evolving cyberthreats. They need policies that require staff to regularly change their passwords and training to adequately prevent phishing attacks (which remain a significant entry point into systems for hackers).