EHR Vendors: The Next Target for Healthcare Hackers?
Hackers have already put hospital networks and insurers on notice that they’re interested in the health data they protect. Electronic health record vendors may be next.
As this story on the health news website Healthinformationsecurity notes, the firm Medical Informatics Engineering informed customers on June 10 that it was the victim of a cyber attack that resulted in the theft of data. The company makes NoMoreClipboard, a web-based electronic health record (EHR) platform that allows doctors’ offices to manage patient information via a web-based portal.
According to statements from the company, on May 26, employees discovered suspicious activity relating to one of its servers. An investigation, with the help of third-party forensics experts, indicated that the intrusion began on May 7, 2015. Furthermore, attackers made off with protected health information on patients of “certain Medical Informatics Engineering clients.”
Data including the patients’ names, mailing addresses, email addresses and dates of birth were compromised. For some unstated number of patients, additional information stolen included Social Security Numbers, lab results, dictated reports, and medical conditions.
In a message to customers, Medical Informatics Engineering and NoMoreClipboard encouraged customers to change their password and instituted a “forced change” policy coupled with an out of band “two factor” authentication.
The hack follows similar attacks on healthcare firms Community Health Systems, Premera and Anthem. In each case, the attacks were described as “advanced” – though that’s a term with lots of possible meanings and no meaning at all.
What’s new here? Targeting Medical Informatics Engineering and NoMoreClipboard is significant because it suggests that health data hackers are moving upstream: from hospital networks or insurers who might represent patients in a particular geographic area to a service provider with customers all over the country. As with the (apocryphal) story about bank robber Willie Sutton explaining his choice of targets by noting “that’s where the money is,” thieves bent on identity theft, account hijacking or sophisticated spear phishing and social engineering attacks choose health firms because “that’s where the data is.” Web-based EHR systems simply allow them to access data from hundreds or thousands of health networks in one fell swoop. And, like other web-based applications, it’s likely that web-based EHR systems suffer from many common application vulnerabilities that might give attackers access to backend systems and data – from SQL injection to cross site scripting.
This won’t be the last time we hear about an attack on web-based EHR platforms. The Affordable Care Act (aka “Obamacare”) has created significant incentives for doctors’ offices to embrace EHR systems, replacing inefficient, paper bound medical records systems. Platforms like NoMoreClipboard allow them to reap the advantages of these sophisticated tools without needing to invest in hardware, software and IT staff to manage them – a big bonus in an industry, like healthcare, where the margins are small.
What’s the fix? EHR firms should take note that sophisticated attackers are on to them and that EHR application servers are now squarely in the crosshairs of these malicious actors. As with healthcare companies and hospitals, the focus should be on removing low hanging fruit that can lead to compromises and putting in robust detection tools to shorten the window of exposure in the event of a compromise from weeks (in this case) to days, hours or – ideally – minutes. The less time attackers have on your network, the less damage they can do to your organization.
Paul F. Roberts is the Editor in Chief of The Security Ledger.