Electronic Medical Records and Their Risks
Hackers Love to Steal Medical Records. Reduce your Risk.
Electronic medical records (EMRs) were once heralded as the ideal way to store patient files. Paper files were inches thick. Pages could fall out. The filing was a nightmare, and all those inches of files added up to massive stacks taking up lots of office space. So, the concept of digitizing a patient’s records had instant appeal. But since its debut in 1972, EMRs have proved to be both a boon and a bust for the medical field.
EMRs also offered a fantastic way for medical professionals to share patient records with emergency rooms, specialists and other providers and share them fast. Facilities would store patient data, and EMRs would be accessible on a network. Doctors could find critical data with a simple search instead of paging through a stack of paper. Data accuracy would improve.
Reality has fallen short of such lofty predictions, some professionals argue. One reason is the genuine risk to electronic information storage. That risk comes from data breaches, or a system infected with ransomware—computer malware that can lock up the system making files inaccessible.
As ransomware continues to soar—some experts estimate it has increased 1,000% in the past year over the preceding 12-month period—EMRs have become a double-edged sword. Electronic records take up less space and might be more accurate. It’s easier to keep prying eyes out of EMR files if login credentials are not widely available. However, hackers can crack open a computer, and recent studies have detailed an alarming rate of password sharing amongst medical workers. Such a mix of good and evil isn’t reassuring when your personal health information, or PHI, is at stake.
The Current Reality
Hospitals, doctor’s offices, laboratories and clinics are clear targets. Last fall, CISA, the federal government’s cybersecurity and infrastructure security agency, and the FBI issued an advisory to the medical field.
The agencies stated they possessed “credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers.” While the joint effort included offering facilities advice on how to prepare, it’s not known how many provider organizations followed that advice.
Shortly after that October 2020 warning, a Maryland medical center experienced a ransomware attack that locked patient files. The intruders demanded a ransom paid in bitcoin within three days, or they’d destroy patient records. In May 2021, a San Diego hospital was the target. The medical center had to divert patients suspected of stroke or heart attack to other facilities, and these were just two of the hundreds of medical attacks in the past year.
Ransomware tactics occur weekly, if not more frequently, around the United States. The damage is significant. Government cyber groups reported, “activities include credential harvesting, mail exfiltration, crypto-mining, point-of-sale data exfiltration, and the deployment of ransomware.”
Medical identity theft and insurance fraud can result. Medical identities sell for hefty prices—much higher than stolen credit card data. The hacker’s goal is economic, but these crimes also create life or death consequences for the sick and the injured.
Television series like Chicago Med and Grey’s Anatomy create scripts around the chaos that would ensue when a hospital cannot access its records system. Doctors cannot read lab test results or patient histories. Specialists cannot share patient records with others who treat the same patient. It seems fictional, but these scenarios are facts.
As hospital and clinic attacks rise, institutions don’t know whether records were transferred or accessed before the lockdown and ransom demand. As a result, some institutions treat these attacks like a data breach notifying the federal government and patients; others do not.
Responses to a ransom demand vary. Some facilities are desperate to get back up and running. Others discover their files were corrupted during an intrusion. For some organizations, the cost of recovering from an intrusion without paying the ransom and hacker help could equal or exceed the ransom requested, so they pay up.
The FBI is clear in its opposition to paying a ransom for data. The bureau warned that there are no guarantees that hackers will restore data access and paying encourages more hacks.
The U.S. Department of Health and Human Services (HHS) tracks medical data loss whenever it impacts more than 500 individuals. These days, most entries cite “Hacking/IT incident” as the cause. While some cases involve a small number of patients, others like August’s hack of a New Mexico university hospital involve over half a million individuals or more.
Solutions for the health providers and their patient groups will differ. There is no one-size-fits-all fix.
For providers, a backup not connected to the network is a strong option. Dividing or segmenting central computer systems to limit hackers’ access if they breach the system slashes risk. Patient records can be robustly encrypted. And a regular review of cyber response plan helps, too.
For patients, the risks are very personal. In an emergency, no paper record exists to fall back on. If the EMR is locked down, you may not receive needed treatment.
Be proactive. Scan your personal medical files to digital form and save them on a computer. Password protect the drive, too A thumb drive loaded with the entire batch could be helpful at the emergency room during a medical event.
In addition to emergencies, your medical data gets protected against corruption or unrecoverable files. That’s worth a great deal. While no one can offer a 100% guarantee that you’ll be immune to a hospital ransomware attack, this logical step reduces the impact.
We see many cases of data theft at IDShield, and medical identity theft is one of the worst manifestations. A clever individual can use your identity to receive but not pay for medical care. You get the bills.
Even worse is the co-mingling of your accurate health records with those of an imposter. That’s the key reason why our members request monitoring for health policy numbers. If your insurance data is discovered somewhere on the Dark Web, we’ll alert you and work with you to find a solution. Try our identity services free for the first 30 days. We're confident you will recognize the value and peace of mind that IDShield delivers every day.
IDShield is a product of Pre-Paid Legal Services, Inc. d/b/a LegalShield (“LegalShield”). LegalShield provides access to identity theft protection and restoration services. IDShield plans are available at individual or family rates. A family plan covers the named member, named member’s spouse or domestic partner and up to 10 dependent children under the age of 18. Certain benefits are only available with a 3Bureau identity theft plan and are not offered with a 1Bureau identity theft plan. For complete terms, coverage, and conditions, please see an identity theft plan. All Licensed Private Investigators are licensed in the state of Oklahoma. An Identity Fraud Protection Plan (“Plan”) is issued through a nationally recognized carrier. LegalShield/IDShield is not an insurance carrier. This covers certain identity fraud expenses and legal costs as a result of a covered identity fraud event. See a Plan for complete terms, coverage, conditions, limitations, and family members who are eligible under the Plan.