4 Reasons Your EHR is Vulnerable to a Cyberattack

May 16, 2016

No practice is too small to not worry about a cyberattack. Here are four reasons you should be concerned that your EHR is at risk.

Last year, insurance giant, Anthem was attacked by hackers who stole the names, birth dates, social security numbers, and contact details of 78.8 million current and former members and employees. Earlier this year, cybercriminals effectively shut down access to computer records at Columbia, Md.-based MedStar Health’s ten hospitals and more than 250 outpatient centers, which forced the health system to turn away patients.

News like this reinforces the need for management to have security safeguards in place to head off cyberattacks, said Jim Kelton, managing principal at Costa Mesa, Calif.-based Altius Information Technologies.

Here are four reasons your practice could be vulnerable to a cyberattack:

Staff members are unwittingly unleashing malware. You can have all the right application safeguards in place, but if your staff are receiving emails and clicking on links that unleash malware - or software that’s intended to damage or disable computers and computer systems - that can provide a hacker with internal access to your EHR or other systems with sensitive information, said Kelton.

You think your practice is too small to attract the attention of cybercriminals. But it’s a mistake to think that a cybercriminal will have mercy on a small practice in a small town, said Lee Kim, director of privacy and security at the Health Information and Management Systems Society (HIMSS).

The reality is, cybercriminals are very interested in the healthcare sector, she said. All practices are targets for cybercrime because healthcare data is very valuable on the black market, added Kim.

You don’t have a firewall in place. Another vulnerability occurs with your internet connection, according to Kelton. If you only have wireless internet access and no formal firewall, you could be in trouble. The purpose of the firewall isn’t just to route traffic, it also provides a level of protection to the employees using systems on your network.

There’s a malicious team member. For various reasons, there are employees who want to steal health information and then sell it, says Lee. While only very few people are going to want to steal healthcare information from their employers, it’s something you have to prepare for, she added.

“Cyberattacks happen. We see this in the news. And [cyberattacks require] a lot of damage control, and [cause you] to lose a lot of good will with patients, who are going to be less inclined to want to see your physicians…because they think your organization can’t be trusted with their health information,” said Kim.