Congratulations to tw-Security—2024 Best in KLAS® Security & Privacy Services!

We're #1! Thank you to all our partners and customers!

Protecting EHR Systems Against Attacks and Compromises

Why Are EHRs So Vulnerable and How Can Organizations Get Better at Protecting Them?

… “EHR systems are attractive targets for cyberattacks. Once access or a compromise is made, EHRs are data-rich and can be leveraged heavily for ransom due to the operational dependency of clinicians,” said Wendell Bobst, partner and principal consultant at security and privacy consultancy tw-Security.

… EHR systems’ complexity and criticality also present obstacles in addressing security vulnerabilities that put these systems at risk, Bobst said.

“This tension exists as the demand for additional functionality can conflict with the testing requirements needed to prevent opportunities to exploit,” he said. “As the code base continues to grow, it becomes more and more difficult for EHR vendors to manage it. Lastly, EHR downtime – even to fix vulnerabilities – is disdained by clinicians, which can delay updates and critical patches.

… Because the EHR system is so critical, it should be managed with tighter security, including stronger access controls – such as multifactor authentication for remote access – and more robust logging and auditing, Bobst said.

… Layers of technologies are required to protect an organization if one or more technologies are bypassed, Bobst said. This becomes very costly if organizations don’t limit where and how confidential data is allowed to live, he added. The critical layers range for workforce training to threat intelligence. That includes threat bulletins from vendors and law enforcement, including the FBI, to help staff stay aware of the current activities, exploits and dark web activity, he said. Other critical layers include MFA, limited user access, and endpoint protection and network access controls that connect to a SIEM or XDR platform, he said. And EHR applications and files shares should leverage role-based access, directory authentication and extensive auditing, according to Bobst.

… Healthcare organizations must keep in mind that if cyberattackers know which layers are weak, underfunded or under-resourced, they can create a path of attack or vector to exploit various weaknesses, Bobst said. “We create incident response tabletop exercises using these principles,” he said. But he hastened to add, “If there was a silver bullet to stop ransomware and similar attacks, we would not have the current situation.”

 

For more information or to schedule a FREE initial consultation – contact tw-Security.
Read More