Fierce exclusive: 10 steps for thwarting EHR hackers

It's bad enough that the number of security breaches of patient protected health information appears to be skyrocketing. But it feels downright creepy when the breach is at the hands of a hacker, as was the recent attack by Eastern European hackers that breached almost 800,000 Medicaid recipients in Utah. 

And while a lot of hackers are attacking EHRs to steal the information within them for personal gain, many of them do it just for the fun of it, attorney Robert Hudock, with Epstein, Becker Green in Washington, D.C., said in an exclusive interview with FierceEMR. "It's very easy to scan for vulnerability and execute an exploit. People are curious," he said.  

Hudock, who is a certified "ethical hacker" as designed by the International Council of e-Commerce Consultants, warns that information security and privacy concerns have become so widespread that providers are increasingly at risk of not being able to defend their EHR and other health IT systems.

Since HIPAA doesn't provide specific security standards, it's difficult for a provider to justify that the decisions it made to protect its systems. Even the most robust HIPAA compliance program and employee training won't deter a determined hacker. 

"We're seeing many more lawsuits, and for unrealistically high damages, so you need defensible security [processes]," he said. 

But there are steps you can take to reduce the risk that your EHR system will be hacked, according to Hudock:

  • Keep your EHR on a segregated network, if possible. "Shelter your EHRs from the rest of your network infrastructure," he says. Otherwise it's very easy for a provider's practice management system or mobile or medical device to pass on a virus or other infiltration to the EHR system. The Veterans Administration segregated its EHR  after suffering significant infections, Hudock notes.
  • Check for vulnerabilities. Run risk assessments and conduct audits. Correct weaknesses discovered.
  • Consider buying and running a data loss prevention software  program, which runs on your perimeter server. "If protected health information is leaving your facility, it tells you," he says.  
  • Apply security patches to internet applications that are connected to your EHR systems, such as internet explorer, java and adobe acrobat.
  • Make sure that your firewalls are installed properly, and that your antivirus programs are operational. One of Hudock's provider clients had turned off its antivirus program during an upgrade and neglected to turn it back on. Hackers are looking for easy access into computer networks. Don't make your EHR system that easy an target.
  • Comply with objective, specific measures, such as those recommended by the National Institute of Standards and Technology or HITRUST, so you can defend the adequacy of the safeguards you took to protect patient information.   
  • Make sure that your EHR and health IT vendor contracts support off-the-shelf antivirus software. Many of these contracts say that if the provider uses such software with their product, it will void the vendor's support and/or warranty, Hudock warns.
  • Designate who within the organization is responsible for maintaining the integrity of the system.
  • Clearly delineate with your EHR/Health IT vendor who will be responsible for security patches. Don't assume that the vendor will do it; many vendors don't.
  • Make sure that any medical software you're working with runs without "super user" rights. This makes it harder for a hacker to gain access to the records.

Hackers are looking for easy access into computer networks. Follow these tips and make sure your EHR system isn't an easy target. - Marla