In September, Nebraska Medicine reported that it had suffered a cyberattack targeting its electronic health records (EHR) system. More details on this healthcare cyber attack and EHR data breach are discussed.
Nebraska Medicine EHR Breach
On September 20, 2020, Nebraska Medicine discovered that its networks and servers had been compromised when patient files were unable to be accessed. It quickly became evident that they had suffered an EHR data breach as they couldn’t access patient portals in several of its healthcare locations. Sites affected by the EHR breach included Great Plains Health and hospital branches in Norfolk, Hastings, and Beatrice.
To prevent further repercussions from the EHR data breach, Nebraska Medicine implemented downtime procedures, which took its EHR offline until the source of the healthcare cyber attack could be detected.
Upon investigation into the incident, Nebraska Medicine discovered that, although the incident was not detected until September, hackers initially gained access to the network on August 27. The investigation also found that threat actors installed malware on Nebraska’s network and exfiltrated both patient and employee data.
The Nebraska medicine data breach investigation determined that protected health information (PHI) compromised in the EHR data breach varied by patient. PHI affected included patient names, dates of birth, contact information, medical record numbers, health insurance information, and clinical data. Some patients also had their Social Security numbers compromised; these patients will receive free identity theft protection and credit monitoring services.
To prevent similar healthcare cyber attacks from occurring in the future, Nebraska Medicine has implemented increased security features including healthcare network monitoring tools. They are also conducting regular audits of access patterns so that they may quickly detect unauthorized access to its systems to prevent healthcare cyber attacks.
HIPAA EHR Security
When choosing an EHR platform, it is important to consider the security features the platform offers.
Access controls.
Designate different levels of access to ePHI based on an employee’s job role. This is accomplished through the use of unique login credentials for user authentication.
Audit controls.
Audit controls track access to ePHI including who accesses what information, if they made any changes, and when changes were made. Through the use of audit controls, unauthorized access to ePHI can be detected quickly.
Encryption.
Encryption is a means of data protection that masks sensitive data preventing unauthorized access. By utilizing encryption, only users possessing a decryption key can access the data.