Guest Column | May 18, 2017

Is Your EHR System At Risk?

clinical trials risk management - CRO and sponsor relationship

By Kathy Trahan, market strategist responsible for vertical markets, Tripwire

With an adoption rate approaching 100 percent, EHR systems have gained high traction among healthcare service providers mainly due to their operational efficiencies and the rising need for integrated healthcare facilities worldwide. Over the years, there has been a surge in the need to connect laboratories to hospitals and clinics, and hospitals or clinics to pharmaceutical centers. This has led to the rise in emphasis on product innovation. Also, there is an incentive plan for the hospitals and clinics in the U.S. for facilitating the meaningful use of EHR technology.

As the EHR industry consolidates and attempts to update and improve its software and processes, caregivers must stay up to date with the technology and understand potential pitfalls and how they could affect patient safety.

Privacy, Security And Compliance Considerations Around EHR
For all the enthusiasm about adopting electronic medical records, security remains a concern. Employees, contractors, outsourcers, vendors, and others with elevated access present valid risk, and the primary worry has been that hackers could steal patients' information to enable identity theft. But recent attacks have demonstrated the threat of ransomware, in which hackers deny access to data rather than stealing it.

In an example that made headlines, unidentified attackers hacked into a hospital’s EHR system and then encrypted the data, causing delays in service and confusion in treatment. Some cancer patients were unable to get radiation treatment for several days. As this hack demonstrates, the new systems can leave hospitals vulnerable.

Interestingly, a recent Sermo (social network for physicians) survey questioned whether EHR downtime or outage would pose a threat to patient safety. In the U.S., about half did not think this would be a huge threat to their patient safety.

Regulations In Place To Protect Patients Includes Security Rule
To support patient care, providers store electronic Protected Health Information (ePHI) in a variety of electronic systems, not just EHRs. Knowing this, providers must remember all electronic systems are vulnerable to cyber-attacks and must consider this in their security efforts all of their systems and technologies that maintain ePHI.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule establishes a national set of minimum security standards for protecting all ePHI that a Covered Entity (CE) and Business Associate (BA) create, receive, maintain, or transmit. The Security Rule contains the administrative, physical, and technical safeguards that CEs and BAs must put in place to secure ePHI.

Every practice is responsible for taking the steps needed to protect the confidentiality, integrity, and availability of ePHI maintained in your EHR. Having an EHR affects the types and combinations of safeguards you will need to keep your patients’ health information confidential. EHRs also bring new responsibilities for safeguarding your patients’ health information in an electronic form.

The Challenge For Providers

Many are managing the security and compliance around EHRs manually. This is very complicated, time consuming work and takes a very experienced person to do — but is prone to human error. For example, how often do you go through a detailed audit? Is presenting current, accurate data a challenge? Are you working with legacy systems?

A manual process will not be able to answer a good auditor's questions. Home grown scripts are concerning to an auditor; they prefer third party effort.

The Solution

The best way to maintain compliance and security posture is to automatically monitor and alert EHR systems for any unauthorized changes or vulnerabilities that could jeopardize PHI. It also addresses the insider threat - the unauthorized access and use of PHI by otherwise authorized staff which is a growing threat in healthcare.

Automation can be used proactively to accept operational changes and update policies between audits and/or passively to enable the process of specific system state data for each control in place (or its mitigating control/process). Do you know what changed, when, by whom, and for what reason? Who is responsible for user access vs. network ports vs. data at rest? If it isn’t the same person, there is considerable collaboration required to prepare for an audit or the auditor will provide analysis for the lack of policy and procedures supporting the use and health of current controls.

Ransomware is a popular attack vector in healthcare. Using solutions that have a whitelist profiler to prevent known malware from being executed in the first place will help with this. Comprehensive monitoring of all assets on the network will also assure malware does not hide and traverse to the EHR.

Many healthcare providers are leveraging security frameworks to support their security strategy. There are two popular frameworks from: National Institute of Standards & Technology (NIST) and the Health Information Trust Alliance (HITRUST), as noted by a recent HIMSS Survey.

NIST was originally for the federal government but now offers a range of guidance to all organizations. NIST 800-53 is specific direction for cyber security. NIST also has a security framework, Cybersecurity Framework (CsF) for Critical Infrastructure, which has a heavy focus on risk management. NIST also provides significant guidance on EHR design and implementation in light of the some shortcomings of certified EHR systems under HITECH. Earlier this year NIST proposed updates and is open to comments. The updates include clarifications, new measurement guidance, and direction for cyber security supply chain management.

As a private non-profit organization, HITRUST offers a framework and assessment services for healthcare providers only. HITRUST is positioned as providing the foundation for NIST compliance. HITRUST can be a part of the not only the design, but in the operation and ongoing management of every connected system. HITRUST exists to ensure information security becomes a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges by addressing specific challenges such as concern over current breaches, numerous and sometimes inconsistent requirements and standards, compliance issues, and the growing risk and liability associated with information security in the healthcare industry. By collaborating with healthcare, business technology, and information security leaders, HITRUST developed a common framework that any and all organizations can use to create, access, store, or exchange Protected Health Information (PHI) safely and securely.

Just like technology in every other business sector, technology continues to evolve in the EHR industry even though EHR systems were introduced to healthcare years ago. Healthcare providers should stay abreast of the updates to their EHR systems, the changes to the nuances in their systems, any patterns of incidents of EHR systems increasing risk to patients, and what ongoing training their caregivers may need.

About The Author
Kathy Trahan is a market strategist responsible for vertical markets at Tripwire. With more than 15 years of experience in high tech and IT Security, Kathy has held prior roles at Cisco, Check Point, NetApp, Nokia, Sun Microsystems, Symantec and TrendMicro.