HAP's Latest News

Digital Health Records are Cyber Hackers Top Target

April 12, 2023

This month, the federal government urged the health care community to stay vigilant about emerging cyber threats, particularly when it comes to electronic medical records.

In a pair of reports, the Health Sector Cybersecurity Coordination Center (HC3) and the Office of Information Security (OIS) outlined the rise of cyberattacks targeting digital health records and the steps organizations can take to stay ready.

“Electronic medical/health records are here to stay for the foreseeable future, so organizations should work to protect personal identifiable information/protected health information and should be aware of market trends,” HC3/OIS noted last week.

Here’s what you need to know:

  • Top digital threats:  In a report last week, HC3 and OIS listed phishing attacks, fraud, data breaches and vulnerabilities, malware and ransomware attacks, and encryption blind spots as some of the top threats against electronic medical/health records.
  • Core trend:  With the rise of wearable devices, telehealth, and “big data,” health care’s digital transition is well underway. This digital transformation requires additional layers of protection against bad actors.
  • Key vulnerability:  About 90 percent of the top 10 largest health care data breaches during 2022 were linked to third party-vendors.
  • A model of security:  HC3 recommends organizations implement so-called “Zero Trust Security Models” that aim to minimize the risk and promote timely response to cyber threats.
  • Quotable:  “It is imperative that organizations in the health care and public health sector gain an awareness of potential risks and implement the right threat intelligence tools to quickly identify, mitigate, and prevent cyberattacks,” HC3/OIS said last week.

Additionally, in an analyst note last week, HC3/OIS again warned the health care community about the pro-Russian hacktivist group “KillNet,” and its efforts to target the health care community.

The organization uses distributed denial-of-service (DDoS) to disrupt normal server traffic and cause network outages. Earlier this year, the group conducted 90 attacks against hospitals, health centers, and health systems, the analyst note said.

“Although their primary type of cyberattack method usually does not cause major damage, it can cause service outages to vulnerable systems lasting several hours or even days,” the analyst note said. “Whereas many hactivist groups abstain from targeting health care and public health organizations, the group has dispassionately targeted hospitals and medical organizations across the sector.”

The analyst note is available online.

HAP continues to monitor the latest cybersecurity developments and provide updates to members. For more information about health care cybersecurity, contact Jason Tomashunas, MS, CHEP, HAP manager, emergency management.

Additionally, John Riggi, the American Hospital Association's (AHA) senior advisor for cybersecurity and risk, is able to assist AHA members with expertise and resources about health care cybersecurity.