By Nam Nguyen, Vice Chair
EHRA Privacy & Security Workgroup
October is Cybersecurity Awareness Month, and the Electronic Health Record Association (EHRA) will use this opportunity to share helpful reminders of cybersecurity fundamentals throughout the month.
The 2020 HIMSS Cybersecurity Survey provides a look into cybersecurity issues facing US healthcare organizations. Based upon the feedback from 168 US-based healthcare cybersecurity professionals, “Significant security incidents continue to plague healthcare organizations of all types and sizes. Phishing is the most common type of significant security incident.”
Phishing and ransomware are the one-two punch of significant cyber risks. Phishing is typically the initial hook for significant security incidents, and occurs when a bad actor targets a user by email, telephone, or text message, posing as a legitimate company or organization to persuade the user to provide sensitive information, such as personal identifiers, banking information, credit card information and passwords.
Using phishing tactics, a hacker can pose as an organization to get login information from an employee. Then using the login information they stole, place ransomware in the employer company’s critical systems.
Ransomware is malicious software that blocks access to an organization’s critical computer systems until a sum of money, the ransom, is paid. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have published guidance urging victim organizations not to pay ransoms; they warn that paying hackers does not guarantee data will be returned and may encourage future strikes.
According to Emsisoft data, of the more than two thousand organizations targeted by ransomware hits in 2020, nearly 600 of them were healthcare providers. In one case, California-based LifeLong Medical Care found that names, Social Security numbers, birthdates, patient cardholder numbers, and treatment and diagnosis information were compromised for more than 115,000 individuals. In another, Queen Creek Medical Center in Arizona was forced to notify 35,000 patients of a breach and rebuild patient medical records from scratch following a ransomware attack that corrupted their EHR and caused extensive data loss.
Perhaps the most significant ransomware attack on a healthcare organization in the past year was seen at Universal Health Services, which reported that all of their more than 400 facilities in the U.S. were affected by an attack in early October 2020. All systems at Universal’s care sites and hospitals were forced offline, taking down EHRs, diverting ambulances, and in some cases delaying lab testing.
What can you do?
- Download the Cybersecurity and Infrastructure Security Agency (CISA) fact sheet outlining steps organizations can take to prevent ransomware attacks, protect personally identifiable information (PII), and respond to a data breach.
- Maintain offline, encrypted backups of data and regularly test your backups.
- Create, maintain, and exercise a basic cyber incident response plan, resiliency plan, and associated communications plan.
- Mitigate internet-facing vulnerabilities and misconfigurations to reduce the risk of actors exploiting this attack surface.
- Reduce the risk of phishing emails from reaching end users by:
- Enabling strong spam filters
- Implementing a cybersecurity user awareness and training program
- Read our previous blogs on phishing and ransomware attacks to learn more on what you can do:
EHRA Blog 