March 27, 2019

Healthcare Security: How to Solve EMR and EHR Concerns

Information technology (IT) is crucial to modern healthcare facilities. Electronic Medical Record (EMR) and Electronic Health Record (EHR) systems are especially important to modern healthcare because of how they facilitate the distribution of patient medical chart data to caregivers.

Without ready access to patient medical histories, history of present illness (HPI) data, testing records, and similar data, healthcare providers are at an increased risk of causing harm by prescribing medications the patient is allergic to or may react badly with existing prescriptions. Additionally, not having the record of the patient’s most recent tests may cause caregivers to order redundant tests that waste time, money, and patient patience.

However, health IT systems such as EMRs and EHRs bring IT security concerns as well as increased convenience and quality of care. There are worries about security breaches in healthcare organizations. For example, according to data cited by the University of Illinois at Chicago (UIC), the Anthem healthcare data security breach resulted in the compromise of the Social Security Numbers, names, addresses, and other personally identifiable information (PII) “of 78.8 million current and former members and employees of Anthem.” Anthem was far from the only healthcare industry-related company targeted by cybercriminals.

As the UIC article notes, “In June 2016 alone, more than 11 million health care records were exposed because of cyber attacks.”

Healthcare security is crucial for avoiding data breaches and meeting key regulatory guidelines—such as HIPAA—that may impact a practice’s ability to operate.

So, how can you solve healthcare information security concerns for healthcare IT systems? What are the main concerns of healthcare security in the first place?

Here’s a quick guide to the top healthcare data security concerns, and tips for addressing them:

Healthcare Security Concern #1: Mobile Devices

Mobile devices are a massive concern for healthcare information security—whether those devices are owned by the healthcare facility’s staff or the healthcare company itself. If a mobile device with access to patient data is lost or stolen, it could be used to compromise the safety of patient PII.

So, how can you secure mobile devices to ensure security in healthcare information systems? A few tips include:

  • Creating a Strong Policy Regarding the Use of Personal Devices at Work. Bring your own device (BYOD) policies allow employees to use personal mobile devices at work—helping healthcare organizations reduce costs for providing mobile devices for employees to use. However, these BYOD policies require strong guidelines regarding how employee-owned devices can be used at work to avoid potential data breaches. Some key BYOD policies might include enforcing strong password protection on mobile devices, automatic screen locks after short inactivity intervals, and enabling device location tracking features.

  • Using a Mobile Device Management Solution. It may be necessary to specify that mobile devices be controlled using a mobile device management (MDM) solution that can remotely activate features such as “find my iPhone” or trigger a data wipe to locate lost/stolen devices or destroy any sensitive data located on those devices. The use of an MDM should be specified in the healthcare organization’s BYOD policy.

  • Enforcing Data Encryption on Mobile Devices. Enforcing data encryption on mobile devices is a key healthcare data security practice to prevent attackers from simply copying the device’s data storage drive and reading it at their leisure. All potentially sensitive information should be encrypted whenever possible to prevent security breaches in healthcare IT.

Healthcare Security Concern #2: Secure the EMR/EHR

Healthcare IT software, like any complex software program, may have security vulnerabilities that attackers can exploit. This is why health IT software developers work to continuously check their software and how it interacts with different operating systems to identify unexpected security gaps and vulnerabilities.

How can you verify security in healthcare information systems such as your EMR/EHR solution? A couple of tips for maximizing your health IT security are:

  1. Run Penetration Tests of Your Healthcare IT Systems. It pays to have a cybersecurity expert run a penetration test of your IT security every so often. These penetration tests are designed to stress your security systems and software to identify potential vulnerabilities and security gaps that you may not have known about. When completed, the pen tester can provide a report of the security vulnerabilities they identified and provide recommendations on how to fix them.

  2. Check for Security Updates to EMR/EHR Software. Health IT software developers release patches to their software solutions regularly. Keeping up to date with these security patches is vital for healthcare information security. Failing to apply new security patches leaves the healthcare organization vulnerable to exploits that it otherwise would be protected against. It may help to set aside a day of the week to check for new security patches and, if found, install them immediately—or to use a managed security service provider (MSSP) to manage the security patch installation process.

Healthcare Security Concern #3: Ransomware

Ransomware is malicious software that is designed to forcibly encrypt data and extort money (often in the form of cryptocurrencies such as Bitcoin) from victims in exchange for the encryption key.

Over the course of 2018, ransomware attacks experienced a fairly sharp decline. In fact, according to data cited by Computer Weekly, ransomware declined from “affecting around 48% of organisations [sic]” in 2017 to “only 4% of the world’s organisations [sic] affected by ransomware attacks in 2018.” However, ransomware is still a major threat that can cripple a healthcare provider’s ability to provide safe and effective care. After all, a 4% rate of ransomware compromise still means having a 1 in 25 chance of being attacked.

So, a key strategy for maintaining strong healthcare security is to have an effective means of preventing and countering ransomware attacks. On the prevention side, it helps to have security settings for your organization’s healthcare IT systems that prevent them from downloading or running unknown programs. It is especially important to use antivirus and antimalware programs for your organization’s email systems to prevent the accidental download of ransomware. Creating a safe internet use policy for the internet at work (and making sure employees know it) can be important for preventing employees from visiting dangerous websites that may try to upload malware to your facility’s computers.

To counteract a successful ransomware attack, it’s important to prepare before the attack ever even happens. This typically means setting up a remote data backup and disaster recovery (DR) solution. Having a remote backup of your healthcare facility’s data can help ensure that, if a ransomware attack does succeed, you can simply reformat your local data storage and restore it from the backup. This circumvents the need to give in to the extortionist’s ransom demands.

Disaster recovery is closely related to data backup but may apply additional measures to help ensure a faster recovery from ransomware attacks and other situations that could cause a loss of data access. For example, many DR solutions offer remote, cloud-based production environments that can be activated on a moment’s notice to replace your databases and handle workloads—or offer access to data for patients to satisfy key HIPAA requirements.

These are just a few of the concerns about healthcare security that hospitals and other care facilities have to contend with. If you need more information about how you can protect your patients’ sensitive data, subscribe to the Kandji blog today!

Subscribe to the Kandji Blog

kandji badge

Secure Your macOS
Fleet Today

Sign up quickly and easily using your Gmail or Microsoft Office 365 business account or a verifiable business email address.


Or