[BreachExchange] New EHR risk gives wider cybersecurity lessons

Audrey McNeil audrey at riskbasedsecurity.com
Thu Nov 16 19:07:14 EST 2017


http://www.healthcarebusinesstech.com/cybersecurity-lessons/

Microsoft researchers are shining a light on a significant vulnerability in
electronic health records (EHRs) — and on why technical safeguards are only
one side of the cybersecurity equation.

In the last few years, EHRs have become widely used. But not all these
systems were designed with security top-of-mind.

Case in point: New research from Microsoft shows that some EHRs could be
exposing patients’ protected health information (PHI) — even if the systems
are encrypted.

EHR data leaks

Network World reports that Microsoft researchers have found several ways to
steal PHI from EHRs through a built-in vulnerability. More details are
expected to be released next month at a cybersecurity conference,

Researchers analyzed the databases of 200 hospitals and looked at systems
using a CryptDB design which allows systems to perform functions with
scrambled data. They were able to discover patients’ gender, age, and
medical and admission information.

Even more troubling: They were able to access this information despite
system encryption.

Although many experts agree encryption is an important part of PHI
security, the report highlights how hackers could bypass this method.

Encrypted data is often decrypted in a computer’s memory to allow users to
access it. Unfortunately, hackers could also access it if they’ve
infiltrated a system in other ways.

The researcher advised that organizations should do their best to steer
clear of using the studied systems to store PHI.

They also noted that while they’ve only studied EHR databases, human
resource and accounting databases could be similarly affected since they
often contain similar information.

Cost of no safeguards

To create an effective cybersecurity environment, facilities will have to
look at more than technical safeguards to protect their patients’ data.
Administrative safeguards, like device management policies, are also
essential.

And while hospitals may not be able to create a 100% hacker-proof system,
missing crucial administrative safeguards could cost them in the event of a
breach — and not just in terms of data.

A recent example of this is the $750,000 breach settlement between the
Department of Health & Human Services and a group of oncology physicians
who regularly worked with hospitals.

According to the HHS press release, the practice notified it of a data
breach after a bag with a physician’s laptop and storage device containing
PHI for more than 50,000 patients was stolen from a car.

After an investigation, the feds found the practice allegedly had not
conducted a thorough risk assessment, and had not implemented a policy
about removing hardware or other devices containing PHI.

As the case shows, while encryption is important in case data is taken out
of a facility, administrative safeguards, like device policies, will help
prevent these risks from reoccurring. Similarly, doing things like training
staff to recognize cybersecurity risks, such as phishing schemes, can help
prevent attackers from bypassing your other security measures.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171116/ca5ca9ec/attachment.html>


More information about the BreachExchange mailing list