How NextGen EMR Breach Is A Wake-Up Call For Healthcare CIOs
How NextGen EMR Breach Is A Wake-Up Call For Healthcare CIOs David Chou, Contributor
Shocked millennial woman sitting on bed at home, holding her head in terror, being late for work. ... [+] Terrified young Caucasian lady oversleeping, having trouble waking up in morninggetty
NextGen Healthcare, one of the major Electronic Medical Record (EMR) providers confirmed on April 28, 2023 that a data breach impacted over a million patients, including roughly 4,000 residents of Maine. The company disclosed that unauthorized individuals accessed personal patient information such as names, birth dates, addresses, and Social Security numbers.
Healthcare vendor breaches are becoming an inevitable risk rather than a mere possibility. The question is no longer 'if' such a breach will occur but 'when.'
Thus, CIOs, CDOs, and even CEOs must understand and prepare for these cybersecurity threats, ensuring an appropriate and effective response when a breach does occur. Healthcare leaders must prioritize these four areas for immediate action.
Regular Vulnerability Assessments and Penetration Testing:
Organizations must conduct regular vulnerability assessments and penetration testing to identify potential weaknesses in the system.
A penetration test is a fire drill for the organization's computer systems. It's a simulated cyberattack that identifies weak spots such as technical issues, setup mistakes, vulnerabilities, or system design flaws. A penetration tester will attempt to exploit weaknesses to gain access, modify functionality, and corrupt the business logic of the target system without creating additional risk to the organization.
Vulnerability assessments are health check-ups for an organization's systems. They help the organization understand and respond to potential threats. Leaders must know where their systems might be weak. This could be in the network infrastructure, database systems, and applications. Remember, people make mistakes and write software, so your software will inevitably have bugs that could potentially put your organization's safety at risk.
Educating Staff:
Employees are often the weakest link in the cybersecurity chain. It's essential to provide regular cybersecurity training to all staff members. This training should include recognizing phishing attempts, proper password management, and understanding the importance of regular software updates. The commitment to security education should match the importance of frequent hand washing by clinicians.
Understand Your Partners:
Even when healthcare organizations are not directly responsible, business associates with whom they partner can cause data breaches.
A glance at the Office for Civil Rights website reveals a concerning trend: seven out of the ten largest breaches, ranked by the number of individuals affected, are attributed to business associates.
In an interview with Drex Deford, Executive Healthcare Strategist at Crowdstrike and a former CIO at various health systems, he said, "Health systems continue to out-source, co-source, partner, and use SaaS at an accelerated rate. That means there's more data in the hand of those partners. Health systems trust those partners (third parties) to secure all the data. And when a partner builds a great (for example) SaaS product, and hundreds of health systems sign up for it, that creates a very attractive "center of gravity" for adversaries. All that data, from lots of health systems, in one place."
In an environment where healthcare organizations utilize hundreds of software applications and engage with numerous vendors within their ecosystem, this area is a significant risk factor requiring close attention.
Incident Response Planning:
Breaches will occur with the best preventive measures. A breach is defined as unauthorized usage or exposure, except when the involved organization, whether a healthcare provider or business associate, can prove that the risk of jeopardizing protected health information is minimal.
Having an incident response plan in place is essential. In an email interview with David Finn, Vice President at CHIME (Association for Healthcare CIOs), he said, "One of the biggest problems we see is when organizations get it wrong out of the gate - - inaccurate information will only make matters worse for patients and employees and only adds to the appearance that you may not be doing things correctly. We've all seen the organization that says 20,000 records were breached, and a week later, it's 50,000, and then when the investigation is done, you're at 100,000".
Your incident response plan must include steps to identify and contain the breach, eradicate the threat, recover from the incident, and communicate appropriately with patients, staff, and regulators.
In conclusion, the recent NextGen EMR breach should resonate as a stark warning for all healthcare CIOs, CDOs, and CEOs. As we transition into the digital healthcare era, implementing robust cybersecurity strategies is non-negotiable. These strategies are instrumental in protecting patient safety and upholding trust. Healthcare organizations must strengthen their cybersecurity defenses, ensuring their preparedness and resilience in the face of potential future breaches.