As the year rolls on, cybercriminals continue to pillage data from hospitals and practices through their EHR platforms. In one such EHR security breach, Southern Ohio Medical Center in Portsmouth, Ohio announced that it fell victim to a cyberattack in a post on Facebook. An unauthorized third-party gained access to its computer servers, initially causing diversion of ambulances and cancelation of appointments.
Staff was forced to document notes with pen and paper and services for Outpatient Medical Imaging, Outpatient Cardiac Testing, Sleep Lab, Outpatient Rehab, and Pulmonary Function Tests, and the Antiarrhythmia Clinic were cancelled for several days following the attack.
Indiana Hospital Crippled by October Ransomware Attack
Johnson Memorial Health in Franklin Indiana was hit by an EHR security breach on Oct 1. According to a report in the local Daily Journal, the attack was discovered by the hospital’s IT team within 15 minutes of being launched and they immediately shut down the computer systems.
It took nearly five weeks for most of the hospital operations to be fully restored.
Colorado EHR Security Breach Exposed Nearly 138k Patient Records
The Urology Center of Colorado in Denver, Colorado, announced a data security incident that occurred on September 7 and may have exposed protected health information (PHI). According to OCR’s data breach portal, the incident impacted 137,820 individuals.
Information exposed in the EHR security breach included Social Security numbers, addresses, phone numbers, medical record numbers, diagnoses, physician information, treatment cost, and birth dates. The Center has changed account passwords and will be implementing additional security safeguards. Affected patients are also being offered credit monitoring and identity protection services.
Assume Attacks Will Happen, Advises Tech Expert
According to Mac McMillan, CEO of CynergisTek, healthcare organizations should operate under the assumption that they will inevitably be hit by a cyberattack.
“We need to stop thinking that we are ever going to be completely successful at stopping all the attacks and all the threats,” McMillan asserted in a previous interview with HealthITSecurity.
HIPAA compliant businesses are inherently more secure. This is because HIPAA dictates minimum security practices that businesses must have in place to protect PHI. Healthcare businesses are also required to track access to PHI to ensure that it is being accessed appropriately, and only by authorized parties. While all three mentioned above had these systems in place, the adequacy of their efforts is yet to be fully determined.
To make sure that you are adequately protecting PHI, it is important to conduct an annual HIPAA security risk assessment (SRA). SRAs assess a business’ current security practices against HIPAA standards, uncovering deficiencies that present risks to PHI. HIPAA compliant businesses use the information from conducting their SRA to address security vulnerabilities and better protect PHI.
