Phishing and Ransomware – The Gruesome Twosome of Cyber Attacks

By Nam Nguyen, Vice Chair
EHRA Privacy & Security Workgroup

October is Cybersecurity Awareness Month, and the Electronic Health Record Association (EHRA) will use this opportunity to share helpful reminders of cybersecurity fundamentals throughout the month. 

The 2020 HIMSS Cybersecurity Survey provides a look into cybersecurity issues facing US healthcare organizations. Based upon the feedback from 168 US-based healthcare cybersecurity professionals, “Significant security incidents continue to plague healthcare organizations of all types and sizes. Phishing is the most common type of significant security incident.”

Phishing and ransomware are the one-two punch of significant cyber risks. Phishing is typically the initial hook for significant security incidents, and occurs when a bad actor targets a user by email, telephone, or text message, posing as a legitimate company or organization to persuade the user to provide sensitive information, such as personal identifiers, banking information, credit card information and passwords. 

Using phishing tactics, a hacker can pose as an organization to get login information from an employee. Then using the login information they stole, place ransomware in the employer company’s critical systems.

Ransomware is malicious software that blocks access to an organization’s critical computer systems until a sum of money, the ransom, is paid. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have published guidance urging victim organizations not to pay ransoms; they warn that paying hackers does not guarantee data will be returned and may encourage future strikes.   

(more…)

Have you updated your software today?

By Nam Nguyen, Vice Chair
EHRA Privacy & Security Workgroup

October is Cybersecurity Awareness Month, and the Electronic Health Record Association (EHRA) will use this opportunity to share helpful reminders of cybersecurity fundamentals throughout the month. 

The 2020 HIMSS Cybersecurity Survey provides a look into cybersecurity issues facing US healthcare organizations. Based upon the feedback from 168 US-based healthcare cybersecurity professionals, “Relatively few healthcare organizations are conducting end-to-end security risk assessments. Sensitive information is exposed and such systems are vulnerable to attack.”

A simple yet important precaution to reduce cybersecurity risks is ensuring software updates and patches are applied in a timely manner. Though they are easy to ignore, most software updates or patches are important, as they address a vulnerability or security flaw in the endpoint of computer systems or medical devices. 

Healthcare organizations have been increasingly targeted with ransomware and other cyberattacks since the beginning of the COVID-19 pandemic. This has shown hackers’ ability to endanger healthcare organizations’ operations as well as patient lives. 

(more…)

Passphrases are good, multi-factor authentication is better

By Nam Nguyen, Vice Chair
EHRA Privacy & Security Workgroup

October is Cybersecurity Awareness Month, and the Electronic Health Record Association (EHRA) will use this opportunity to share helpful reminders of cybersecurity fundamentals throughout the month. 

The 2020 HIMSS Cybersecurity Survey provides a look into cybersecurity issues facing US healthcare organizations.  Based upon the feedback from 168 US-based healthcare cybersecurity professionals, healthcare organizations must deal with a growing array of significant security incidents. These issues not only compromise the integrity of your technology and the privacy of patients, but can also disrupt an organization’s ability to provide patient care.

Being prepared for cyberattacks requires doing all you can to reduce cybersecurity risks. One of the most significant risks identified by security professionals is password management. Many people are still using simple passwords such as a series of numbers (123456) or easily guessed words (password). However, the easier it is to guess a password, the higher the risk of being compromised by a cyberattack. 

(more…)

Securing API-based Access to Patient Data

By EHRA Standards & Interoperability Workgroup

One of the goals of the 21st Century Cures Act’s health IT provisions was to enable patients to have secure access to their electronic health information using Application Programming Interfaces (APIs). The Office of the National Coordinator for Health IT (ONC) advanced that objective when it published its May 2020 Final Rule, which specifies HL7(R) FHIR(R)-based standards that health IT developers (as well as provider organizations developing their own solutions) will be expected to implement so that patient can access their health data using apps of their choice, connected to APIs. But how can patients be assured that their health information is secure once it leaves the EHR? 

Health data are among an individual’s most sensitive information, obligating all members of the healthcare community to protect patient privacy by ensuring secure data exchange. This blog post will review how the ONC standards for patient access can enable best practices to securely share patient health data.

(more…)

Cyberattacks Increase in the Time of COVID-19

By Justin Armstrong, Chair, and Nam Nguyen, Vice Chair
EHRA Privacy & Security Workgroup

For COVID-19 resources for health IT developers and other stakeholders, click here.

As part of National Cybersecurity Awareness Month, EHRA is highlighting three alarming trends in cyberattacks that have arisen since the beginning of the COVID-19 pandemic that health organizations should pay special attention to:

  1. Increases in COVID-19 themed cyberattacks
  2. Increased risk of exploitation with more employees working from home
  3. Increase in targeting of COVID-19 research and vaccine development
(more…)

Protecting Your Organization and Yourself from Coronavirus-Related Scams and Malware

By Justin Armstrong
Chair, EHRA Privacy & Security Workgroup

For updated COVID-19 resources for health IT developers and other stakeholders, click here.

Untitled design(5)In the midst of a healthcare crisis like COVID-19, the furthest things from the minds of many may be cybersecurity. However, now is the time for a heightened alert level. Attackers frequently take advantage of current news and distracted organizations, and the COVID-19 crisis is no different. 

Forbes reports that “there are now more than 40,000 ‘high-risk’ COVID-19 threats on the web.” Hackers have already attacked or attempted attacks on the U.S. Department of Health & Human Services, the World Health Organization, a vaccine test center, hospitals, a public health department, and other healthcare organizations in the U.S. and around the world. The increase in teleworking opens up new avenues of risk

(more…)

  • Categories

  • Follow EHRA on Twitter

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 179 other subscribers
  • Contact Us

    Kasey Nicholoff
    staff @ ehra.org

    Amanda Patanow
    Communications and Media
    ehracomms @ npccs.com