(First of two parts)

The health care industry is under siege. Data breaches of patient information have become all too common, with both external and insider threats trying to gain access to patients’ electronic health records (EHRs), and it does not appear that the number of attacks will ease up anytime soon.

But this begs the question: Why are EHRs so vulnerable to attack? And why do criminals target them in the first place?

We are going to dive into the world of EHRs and examine what makes them so vulnerable and so valuable and examine how EHRs need to be easily and widely accessible, how healthcare organizations have fallen behind when it comes to EHR security, and how criminals have created sophisticated attacks in order to steal EHR data and sell them for profit.

A black hole

One of the main reasons that patient information is so difficult to protect is that, within a health care organization, the EHR must be easily accessed and widely available, especially in the case of emergencies. In order to make records easily accessible, employees use many different systems and devices – including computers and mobile devices – to access the EHR. Moreover, third-party vendors, such as equipment and drug suppliers, as well as insurance companies often have, at minimum, limited access to patient information.

This also means that it is much more difficult to secure sensitive patient information because criminals have so many access points that they can exploit to gain access to this plethora of information.

Government mandates, including the Affordable Care Act, compelled health care organizations to adopt electronic health records, even when those organizations did not have the resources to provide sufficient security for them. Unfortunately, this has left many EHR systems vulnerable to criminal attacks, which has become a consistent easy target.

Criminal infiltration

This problem is further compounded by the fact that health care organizations have lagged behind in putting proper security measures in place, leaving the EHR vulnerable to both insider and external threats. A KPMG study estimated that health care organizations can spend as little as one-tenth what other industries spend on security. Thus, health care organizations are simply not prepared for the sophisticated threats that criminals are launching.

For instance, many health care organizations do not encrypt patient data, either when it is at rest or in transit, meaning that when the EHR are breached, criminals have direct and immediate access to the information. Similarly, many organizations do not have a privacy analytics platform in place to monitor the EHR for insider threats, such as hospital employees who access patient data without authorization or criminals who use stolen credentials to compromise patient information.

Tip of the iceberg

Ransomware attacks are a good example of the level of sophistication that cyber criminals are using against healthcare organizations. In a ransomware attack, the criminal holds the EHR for ransom by hacking into the system and encrypting the information in order to prevent an organization from accessing it. The criminal will then demand a ransom – usually in untraceable bitcoin – in exchange for the decryption key.

Health care organizations are particularly vulnerable to this type of attack due to the sheer necessity of this information — without it, lives could be in jeopardy. It should come as no surprise that ransomware attacks are becoming more common and more deadly, with 88 percent of all ransomware attacks targeting health care organizations.

Hollywood Presbyterian Medical Center experienced the effects of a ransomware attack firsthand in March 2016, when criminals prevented the medical center from accessing its EHR for an entire week until the hospital paid the hackers $17,000. However, some criminals are adding an additional layer of complexity to their ransomware attacks by using such attacks as a diversion. When a ransomware attack occurs, law enforcement and security officials often focus solely on dealing with the ransomware itself, leaving the rest of the system vulnerable which allows criminals to access patient records and secretly exfiltrate them.

Even if a hospital has backups of its patient data and is able to restore it or if it simply pays the ransom to get the records back, it has no way of knowing how many records were exfiltrated while the criminals held the information for ransom.

Real victims

If health care organizations continue to delay putting proper security measures in place to protect their EHRs, they will find themselves in the headlines for all the wrong reasons. On the other hand, if organizations get serious about patient privacy, they will require a robust security system to protect their EHR system from a variety of threats from internal and external sources.

When an organization fails to implement these measures, it is often the patients who pay the price. Victims can easily spend thousands of dollars and hundreds of hours simply trying to put their life back together.

It’s imperative for health care organizations to become proactive in monitoring and protecting their patient data, the sooner a breach is discovered the sooner organizations can mitigate the risk of catastrophic damage being done to their reputation but more importantly to their patients’ lives.

Robert Lord is co-founder and CEO of Protenus and a fellow with the Institute for Critical Infrastructure Technology.