Cybersecurity: What 2016 taught the healthcare industry

One of the biggest developments in EHRs and health IT in 2016—unfortunately—was the rise of cyberattacks. It's the unintended consequence of ditching paper records for electronic, on in-house systems or in the cloud. It’s easier to steal or compromise a greater number of records at one time when they're digital. And the records themselves are lucrative (although the price for medical records appears to have dropped, perhaps because they’re now flooding the dark web market).

The problem has become so pervasive that the Department of Health and Human Services' Office of the Inspector General (OIG) has included in its workplan for 2017 its intent to investigate how well providers are protecting EHR information.

RELATED: Onsite HIPAA audits coming in 2017

In addition, the OIG has identified the privacy and security of electronic information as one of HHS’ top management challenges for 2017, noting in particular how difficult it is to protect the data due to the quick pace at which technology is evolving, the expansion of the Internet of Things, such as networked medical devices, and the rise of mobile health technology. The report cited the continued weaknesses in healthcare organizations’ systems despite the significant increase of breaches and ransomware attacks.

Here are some of the biggest cyber problems plaguing EHRs this year.


While ransomware has been around for years, in 2016, the sheer number of incidents hitting the healthcare industry gave it a household name.

Some incidents have been widely reported. For instance, California’s Hollywood Presbyterian Medical Center’s payment of 40 bitcoins (worth $17,000 at the time) to override ransomware placed on its EHR system garnered a lot of attention. The systems malfunction that halted operations at Medstar Health was also determined to have been a ransomware attack.

But ransomware itself has evolved, according to government experts. While most ransomware events are still due to phishing attacks that contain the malware in an attachment to an email, ransomware is moving into more targeted spear phishing, such as sending what appears to be an invoice to the chief financial officer of an organization with a spoofed email address that looks legit. 

Criminals have become more sophisticated—you can't assume your employees won't fall for their tricks. 

Ransomware has also become more insidious, with some versions of the malware able to infiltrate the data itself and enable the cybercriminals to access or compromise it while encrypting it.

HHS’ Office for Civil Rights took a step toward addressing the problem in July, releasing guidance explaining what ransomware is and offering tips to avoid protect patient and other data.

The guidance also clarified that ransomware usually constitutes a breach under the Health Insurance Portability and Accountability Act (HIPAA) and so is reportable to HHS, patients and sometimes the media because. Even if the data wasn’t accessed by the cyberattack, the provider had lost control of it.


Hacking by cybercriminals continues to plague providers. For example, in March, Fort Myers-based 21st Century Oncology reported that the records of 2.2 million patients were breached due to hacking. A number of class action lawsuits have since been filed against the cancer chain. 

Athens Orthopedic Clinic in Georgia suffered a cyberattack compromising the records of 200,000 patients in June, when the login credentials of an outside vendor were used to access its EHR. The clinic also had to inform its patients that it couldn't afford extended credit monitoring.

The Internet of Things

Insiders have warned for several years that networked objects, such as smart TVs, baby monitors and medical devices were at risk of cyberattack. This became a reality with Johnson & Johnson acknowledging this year that one of its insulin pumps could be hacked because its communication system was not encrypted.  This announcement came on the heels of a report that St. Jude Medical’s cardiac devices are also vulnerable to hacking, an allegation that St. Jude has denied

Sloppy internet use

Good old-fashioned user error continues to be a cybersecurity threat. There have been increasing reports of entities mistakenly exposing patient records on the internet, such as St. Joseph Health, which bought a server to store electronic patient records not knowing that it included a file sharing application whose default settings allowed public access to the records. St. Joseph never checked out the server to identify or correct this problem and this year agreed to pay $2.14 million in settlement for the alleged HIPAA violation.

LabMD continues to fight enforcement attempts by the Federal Trade Commission, which has claimed that the provider engaged in deceptive and fraudulent activities in violation of the Federal Trade Commission Act. A health insurance computer file of LabMD’s containing patient information had been exposed on the internet on a peer-to-peer file sharing network.

Lessons learned

There are several steps that providers can take to reduce the changes that their EHRs will be compromised. These include:  

  • Reviewing the security of any EHR or other product before using it. If there’s a choice between options, choose the more secure solution and get security assurances in the vendor contract. 
  • Training employees to recognize cyberthreats and other risks, such as what a phishing attack looks like, and warning them to be careful about posting data on the internet.
  • Backing up EHR and other data responsibly so it’s available when a provider needs it, such as when attached by ransomware. For example, the backup must be offline so that it also doesn’t become compromised by the ransomware, and test the backup to make sure it can be accessed in an emergency.
  • Using access controls. For instance, access to the EHR should be limited and audit trails should be regularly reviewed.