Microsoft researchers are shining a light on a significant vulnerability in electronic health records (EHRs) — and on why technical safeguards are only one side of the cybersecurity equation

Information Disclosure

In the last few years, EHRs have become widely used but not all these systems were designed with security top-of-mind.

Case in point, new research from Microsoft shows that some EHRs could be exposing patients’ protected health information (PHI) — even if the systems are encrypted.

EHR data leaks

Although some details are being released next month at a cybersecurity conference, Network World reports that Microsoft researchers have found several ways to steal PHI from EHRs through a built-in vulnerability.

Researchers analyzed the databases of 200 hospitals and looked at systems using a CryptDB design which allows systems to perform functions with scrambled data. They were able to discover patients’ gender, age, and medical and admission information.

Even more troubling is they were able to access this information despite system encryption.

Although many experts agree encrytion is an important part of PHI security, the report highlights how hackers could bypass this method.

Encrypted data is often decrpyted in a computer’s memory to allow users to access it. Unfortunately, hackers could also access it if they’ve infiltrated a system in other ways.

The researcher advised that organizations should do their best to steer clear of using the studied systems to store PHI.

They also noted that while they’ve only studied EHR databases, human resource and accounting databases could be similarly affected since they often contain similar information.

Cost of no safeguards

To create an effective cybersecurity environment, facilities will have to look at more than technical safeguards to protect their patients’ data. Administrative safeguards, like device management policies, are also essential.

And while hospitals may not be able to create a 100% hacker-proof system, missing crucial administrative safeguards could cost them in the event of a breach — and not just in terms of data.

A recent example of this is the $750,000 breach settlement between the Department of Health & Human Services and a group of oncology physicians who regularly worked with hospitals.

According to the HHS press release, the practice notified it of a data breach after a bag with a physician’s laptop and storage device containing PHI for more than 50,000 patients, was stolen from a car.

After an investigation, the feds found the practice allegedly had not conducted a thorough risk assessment, and had not implemented a policy about removing hardware or other devices containing PHI.

As the case shows, while encryption is important in case data is taken out of a facility, administrative safeguards, like device policies, will help prevent these risks from reoccurring. Similarly, doing things like training staff to recognize cybersecurity risks, such as phishing schemes, can help prevent attackers from bypassing your other security measures.

Leave a Reply

Your email address will not be published. Required fields are marked *