Electronic health records (EHRs) are of value to cyberattackers because of the protected health information they contain and their profitability potential on the black market, according to a brief issued by Health and Human Services.
“Extortion, fraud, identity theft, data laundering, hacktivist/promoting political agenda and sabotage are some ways cyberattackers use this data for profit,” according to HHS.
The brief states that in 2020, nearly 2,354 U.S. government entities, healthcare facilities and schools were affected by a substantial increase in ransomware resulting in significant disruption across the healthcare industry. In addition, data breaches have risen significantly, according to HHS. In fact, in 2020 the healthcare industry had the third largest number of breaches on record since 2009, according to HIPAA Journal’s 2020 Healthcare Data Breach Report.
Data breaches that target EHRs have also impacted the healthcare industry financially. The brief cites an IBM study stating that the average cost per incident in 2021 was $9.3 million.
Phishing attacks, malware and ransomware attacks, encryption blind spots, and cloud threats are among the top threats against EHRs.
HHS recommends several strategies designed to strengthen a healthcare organization’s cyber posture including:
- Evaluate risk before an attack
- Use a virtual private network with multifactor authentication
- Develop an endpoint-hardening strategy
- Protect emails and patient health records
- Engage cyberthreat hunters
- Conduct red team/blue team exercises
- Move beyond prevention
“Healthcare leaders should understand where operational vulnerabilities exist in their organization, from marketing all the way down to critical health records,” the brief stated. "By understanding the scope of the task at hand, management and other healthcare leaders can create a preparedness plan to address any weaknesses in digital infrastructure."
Read the entire brief here.