By Jessica Otiono

 

Electronic Health Records (EHR) utilize modern technology that allows for electronic entry, storage, and maintenance of digital patient data.[1] This data includes patient records from doctors such as demographics, test results, medical history, history of present illness, and past and current medications.[2] In the past two decades, the utilization of information technology in the delivery and management of healthcare, which resulted in the adoption of EHRs, has provided an efficient way of sharing healthcare records between healthcare professionals and patients who enjoy easy access to their records.[3]

However, this ease of access is met with cybersecurity threats and data privacy challenges.[4]  The sensitive and patient-care-centeredness of EHRs make them susceptible to cyber-attacks.[5]  This is because they contain Personal Health Information (PHI), which cyber attackers sell for profit on the dark web.[6] Cyberattacks on EHRs occur in diverse ways. Some of these cyberattacks include:

 

    1. Phishing – Phishing attacks are the most rampant cybersecurity threats in healthcare. It is the practice of infecting a seemingly harmless email with malicious links.[7]  The usual form of phishing attack is email phishing.[8]
    2. Malware/Ransomware – This type of malware disables access to computer systems and files until a ransom has been paid.[9]  Ransomware may infect a computer system through a phishing email containing a malicious link.[10]
    3. Distributed Denial of Service (DDOS) – DDOS floods a website or computer network with internet traffic to overwhelm it and impair its performance and availability.[11] Cybercriminals employ bots to submit an excessive number of requests.[12] DDOs used together with Ransomware are one of the most destructive cybersecurity attack combinations.[13]

In dealing with cybersecurity threats to EHRs, Federal compliance laws such as the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (Act) were enacted to protect the privacy and data security of Personal Health Information (PHI) which are stored electronically.[14] In addition, the HIPAA privacy rule establishes “national standards to protect individuals’ medical records and other individually identifiable health information….”[15]

The HIPAA Security Rule also establishes appropriate safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.[16] The Security Rule provides administrative, physical, and technical safeguards for managing healthcare data privacy.[17]  Some of these safeguards include: i.) establishing a security management process in which the covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations;[18] ii.) appointing a designated security official who is responsible for the development and implementation of policies and procedures mandated by the Security Rule;[19] iii.) implementing policies and procedures to address security incidents when they occur;[20] iv.) creating policies and procedures for responding to an emergency that damages computer systems containing EHRs;[21] v.) establishing safeguards for workstation security;[22] vi.) implementing audit controls for information systems;[23] and vii.) implementing measures to protect against unauthorized access to electronic personal health information transmitted over an electronic communications network.[24]

In addition, the HITECH Act establishes the Breach Notification Rule. This rule requires Health care providers as well as other covered entities under HIPAA to promptly notify (within 60 calendar days from the day the breach is discovered) individuals of a data breach, as well as the Secretary of the U.S. Department of Health and Human Services (HHS) and the media in cases where the breach affects more than 500 individuals.[25] Breaches of fewer than 500 individuals must be reported to the Secretary of the HHS on an annual basis, no later than 60 calendar days from the end of the year.[26] As healthcare delivery technology continues to evolve, cyber-attacks on EHRs continue to happen. It is therefore imperative that healthcare providers and other key players implement policies that align cybersecurity and patient safety initiatives. These measures will protect patient safety and privacy while ensuring continuity in the delivery of high-quality healthcare by mitigating disruptions.

 

[1] Electronic Medical Record in Healthcare, U.S. Dept. Health Hum. Serv. 1, 3 (2022), https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf.

[2] Id.

[3] Liu Hua Yeo & James Banfield, Human Factors in Electronic Health Records Cybersecurity Breach: An Explanatory Analysis, Perspectives In Health Info. Mgmt. (Mar. 15, 2022), https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9123525/.

[4] Id.

[5] Greg Kill, Top 5 Cybersecurity Threats to Electronic Health Records and Electronic Medical Records, Integracon (Apr. 28, 2018), https://integracon.com/top-5-cybersecurity-threats-to-electronic-health-records-and-electronic-medical-records/.

[6] U.S. Dept. Health Hum. Serv., supra note 1, at 6.

[7] Edward Kost, Biggest Cyber Threats in Healthcare, Upguard (Aug. 8, 2022), https://www.upguard.com/blog/biggest-cyber-threats-in-healthcare.

[8] Id.

[9] Cyber Attacks: In the Healthcare Sector, Ctr. Internet Sec., https://www.cisecurity.org/insights/blog/cyber-attacks-in-the-healthcare-sector (last visited Sept. 14, 2022).

[10] Id.

[11] Hardik Shah, Top 10 Cybersecurity Challenges in the Healthcare Industry, Global Sign (May 5, 2022), https://www.globalsign.com/en/blog/10-cybersecurity-challenges-healthcare.

[12] Id.

[13] Id.

[14]   Liu Hua Yeo & Banfield, supra note 3.

[15] See The HIPAA Privacy Rule, HHS.gov., https://www.hhs.gov/hipaa/for-professionals/privacy/index.html (last visited Sept. 14, 2022).

[16] The Security Rule, HHS.gov.,  https://www.hhs.gov/hipaa/for-professionals/privacy/index.html (last visited Sept. 14, 2022).

[17] Ryan L. Garner, Evaluating Solutions to Cyber Attack Breaches of Health Data: How Enacting A Private Right of Action For Breach Victims Would Lower Costs, 14 Ind. Health L. Rev. 127, 139  (2017).

[18] Id.; 45 C.F.R. § 164.308 (a)(3)(i) (2017).

[19] Id. § 164.308(a)(2).

[20] Id. § 164.308(a)(6)(i).

[21] Id. § 164.308(a)(6)(i).

[22] 45 C.F.R. § 164.308(a)(6)(i) (2017).

[23] Id. § 164.312(b).

[24] Id. § 164.312(e)(1).

[25] 45 C.F.R. §§ 164. 400-414 (2009).

[26] Id.

Image Source: https://www.aranca.com/knowledge-library/special-reports/valuation/healthtech-decoded