Not Just Ransomware: Common EHR Threats You Need to Know
By Robert Lord
It is no secret that data breaches are becoming more common and increasingly more expensive. New threats to patients’ electronic health records (EHRs) are constantly emerging, forcing healthcare organizations to be on the lookout for potential dangers so they can eliminate threats quickly. It is important for organizations to understand the array of potential threats to the EHR, allowing them to make decisions on how to best protect this sensitive data.
After talking with healthcare stakeholders inside hospital systems, the federal government, etc., and distilling themes that continually come up, I thought it would be useful share what I’ve learned.
Phishing scams represent a very real danger to EHRs, but they are often overlooked by healthcare organizations because they assume such threats cannot break through their security. Phishing scams are email or social engineering attacks that try to appear legitimate in order to get healthcare employees to release patients’ sensitive medical information. Such attacks often use email or website scams to either target patients’ information directly or to obtain an employee’s username and password, thereby gaining access to that organization’s entire EHR.
Just recently, a phishing email disguised as official OCR Audit communication about Phase 2 Audits went out to healthcare organizations. Thankfully, it was only a misguided attempt at marketing for a cybersecurity firm, but it could have been much worse. In December 2014, an employee of Seton Healthcare Family opened a scam email. The resulting breach released the medical record numbers, Social Security numbers, insurance information, demographic information, and clinical data of 39,000 patients.
Nevertheless, even if phishing attacks are not the cause of a breach, they can still represent a threat. After the massive breach of Anthem Inc., for example, affected patients began receiving scam emails that promised them free credit monitoring, thus demonstrating that phishing attacks remain a threat even in the wake of a data breach.
The temptation to peek at the medical record of a celebrity or public figure represents a real threat to patient privacy. VIP patients deserve the same right to privacy as the general public, and steps need to be put in place to guarantee that their sensitive information is kept safe and the treating medical facilities out of the headlines.
In 2011, UCLA Health System came to a settlement with the federal government, agreeing to pay $865,000 after two unnamed celebrities alleged that UCLA employees had viewed their medical records without authorization. Two years before that, in 2009, California health regulators fined Kaiser Permanente $250,000 after some of its employees looked at the medical record of Nadya Suleman, the famous mother of octuplets. Unfortunately, there are many other examples of employees being fired or healthcare organizations being fined because they did not protect the privacy of their VIP patients.
The desire for relatives, friends, or even co-workers to snoop into patients’ records often result in messy – and costly – data breaches. In 2013, a nurse accessed the records of her nephew’s partner without authorization and saw that her nephew’s partner had given birth to a baby and put the child up for adoption five years earlier. The nurse then announced the news at a family funeral. After the victim sent a complaint to the hospital, the nurse was terminated and gave up her Florida nursing license.
A similar lawsuit involving Aspen Valley Hospital District and a former employee is currently ongoing. A former employee of the hospital, who was also a patient there, alleged that several employees of the hospital violated his privacy when they disclosed that he had HIV “as a piece of conversational gossip over drinks.” The unnamed patient is currently seeking an apology, compensatory damages, punitive damages, and attorney fees from the hospital. These are but two examples of how devastating these seemingly small breaches can be to the affected patients.
Some of the most dangerous threats to EHRs are criminal insiders. In this type of attack, an employee of a healthcare organization steals patient information from the inside, using his or her access to do so. Earlier this year, Jackson Healthcare Systems found out how dangerous these threats can be the hard way. In February, the health system reported that one of their employees had gone “rogue” and stolen the information of 24,000 patients over the course of five years. The stolen information included names, birth dates, home addresses, and Social Security numbers. As the Jackson Healthcare Systems example demonstrates, these breaches are so dangerous because they are so difficult to detect. In this case, it took five years before the organization was able to identify and eliminate the insider threat.
Business associates and contractors within healthcare organizations represent a growing vulnerability for the EHR, especially in recent years. The US Health and Human Services (HHS) established the Omnibus Rule in 2013, which required the business associates of healthcare organizations to adhere to the HIPAA Rules. Unfortunately, there is still much work to be done to address this vulnerability.
In July of this year, Catholic Health Care Services, a business associate for six skilled nursing facilities, agreed to pay $650,000 for HIPAA violations after a mobile device was stolen. The data breach affected 412 patients. Moreover, this is not an isolated incident; according to a report from Protenus and DataBreaches.net, 30 percent of all data breaches in the first eight months of this year involved a business associate of a healthcare organization. In other words, 4.5 million patients have been affected by data breaches of third parties thus far in 2016.
One final threat to EHR is lost and stolen devices, including laptops and mobile devices. If the information on the lost device is not encrypted or the encryption is not working, all someone has to do is open the device and look at the information for a breach to occur. And if the device was stolen, the criminals do not even have to decrypt the information for them to be able to use it.
One example from this year involves Seim Johnson, an accounting and consulting services company. In February 2016, Seim Johnson reported to HHS that a laptop had been stolen. The encryption on the laptop malfunctioned, exposing the private information of almost 31,000 patients. And these types of breaches are becoming increasingly frequent, with Verizon’s 2015 Data Breach Investigation Report stating that 45 percent of all healthcare data breaches are the result of stolen devices.
As more and more healthcare organizations make the switch from paper to electronic health records, it will become increasingly important for organizations to be able to protect their patient records. Of course, this also means that threats to EHR will become more varied and more sophisticated. Healthcare organizations must be well informed about the different types of threats that exist so they can put security measures in place to effectively combat them, and ultimately protect the privacy of their patients.
Robert Lord is co-founder and CEO of Protenus of Baltimore, MD.