How EHRs are targeted in cyberattacks

Electronic Health Records (EHRs) are lucrative, making them attractive targets for cybercriminals and driving the need for robust security measures. Hackers exploit vulnerabilities in these systems to gain unauthorized access, often through phishing, malware, or exploiting weak passwords. 

The value of EHRs to threat actors

EHRs are frequent targets of cyberattacks because they store sensitive information necessary to healthcare operations, including personal, medical, and financial data. 

According to a study from The Journal of the Missouri State Medical Association, “The healthcare industry is the perfect cyber attack victim because it depends on technology for patient care and revenue cycles. Today, the healthcare industry has become the number one victim of cyber attacks. In 2022, there were 1,463 cyber attacks per week globally.” Attackers exploit vulnerabilities in EHRs to gain unauthorized access, often targeting weak points in security measures or using sophisticated malware.

The value of EHRs to threat actors extends beyond data theft; information is used to disrupt healthcare services, delay treatments, and manipulate medical records. Compromising EHRs can directly impact patient care and safety, giving attackers leverage to demand large ransoms in hopes of protecting patients. 

Lastly, attackers can sell stolen information on the dark web, use it for identity theft, or even blackmail individuals with sensitive medical details.

Common attack methods

1. Insider threats: Employees or former staff members misuse their access to harm patients or steal data. These threats can be challenging to detect because the actors have legitimate access to the system.
2. Break the glass (BTG) exploitation: In emergencies, doctors may bypass normal access controls, potentially leading to unauthorized sharing or manipulation of sensitive patient information.
3. Masquerade attacks: Attackers pose as authorized users to gain access to EHRs. Once inside, they can exploit the system as if they were legitimate users.
4. Outsider intrusions: External hackers breach the system through network vulnerabilities, gaining access to patient data and potentially disrupting services.
5. Accidental disclosure: Data breaches can occur when healthcare staff or systems inadvertently expose sensitive information to unauthorized users due to complex and conflicting access controls.
6. Uncontrolled secondary usage: Data collected for medical purposes may be misused or stolen for unauthorized research or personal gain, compromising the integrity of EHRs.

A real-world example: the Asante incident

The incident at Asante involved unauthorized access to a vast amount of sensitive patient information within their EHR system. An employee with legitimate access rights exploited their position for nearly nine years, improperly viewing the records of more than 8,834 patients.

Insider threats such as this are particularly alarming because they often go undetected for extended periods. Attackers already possess the trust and access needed to manipulate or steal data, making it difficult to identify and prevent the misuse of information until harm has been done.

Navigating threats to EHR

There are many methods to preventing EHR attacks, although success can vary due to the vast amounts of attack methods. There are however several strategies that can be applied, including: 

• Using behavioral analytics to monitor user activity.
• Implementing role-based access control (RBAC) to limit data access.
• Monitoring and auditing break the glass access.
• Establishing an insider threat detection program.
• Encrypting all sensitive data and using data masking.
• Setting up real-time alert systems for suspicious activities.
• Creating a rapid incident response plan for EHR breaches.
• Recertifying user access regularly to match current roles.
• Adopting a zero-trust security model for continuous verification.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is an insider threat?

An insider threat is when someone within an organization misuses their access to harm the organization or steal data.

What is the difference between an EHR and an EMR?

An Electronic Health Record is a digital version of a patient's entire health history accessible across different healthcare settings, while an Electronic Medical Record is a digital version of a patient's chart within a single healthcare facility.