New Year, New Threats: Electronic Health Record Cyberattacks

The recent flood of cyberattacks means that hackers are relentless and more sophisticated than ever before.

by Nora O'Brien / January 19, 2015

Cyberattacks are clearly on the minds of President Barack Obama, Islamic State jihadists, Sony Pictures execs and the CBS producers who are launching a new show this spring called CSI: Cyber. On Jan. 13, Obama announced plans to reboot and strengthen U.S. cybersecurity laws in the wake of the Sony Pictures hack and the one on the Pentagon's Central Command Twitter account from sympathizers of the Islamic State. Whether a real attack or depicted in television and films like Blackhat, this flood of cyberattacks means that hackers are relentless and more sophisticated than ever before.

I’m not a fear monger by trade but want to sound the alarm that there is another cyber-risk that is looming and warrants attention of our emergency management community and government: electronic health records. The American Recovery and Reinvestment Act of 2009 authorized the Centers for Medicare and Medicaid Services to award billions in incentive payments to health professionals (hospitals, long-term care agencies, primary care, etc.) to demonstrate the meaningful use of a certified electronic health record (EHR) system.

The intent to create EHR systems is to improve patient care by providing continuity of care from provider to provider by creating health information exchanges (HIEs) that allow “health-care professionals and patients to appropriately access and securely share a patient’s vital medical information electronically,” says In addition, financial penalties are scheduled to take effect in 2015 for Medicare and Medicaid providers who do not transition to electronic health records.

What do the cyber threats and attacks mean for the EHR systems and health information exchanges? Since health-care providers have been installing EHRs, the number of cyber threats and attacks has grown.

As stated in a September 2014 MIT Technology Review article, “cybercriminals are increasingly targeting the computer networks of hospitals — one recently announced theft involved data from 4.5 million people who had received treatment from Community Health Systems, a company that runs more than 200 hospitals. … Data security is often lax within health-care facilities, and hackers are targeting systems that store troves of valuable personal information held in electronic medical records, according to the Websense researchers, who say they’ve observed a 600 percent increase in attacks on hospitals over the past 10 months.”

In a Politico article from summer 2014, “As health data become increasingly digital and the use of electronic health records booms, thieves see patient records in a vulnerable health-care system as attractive bait. On the black market, a full identity profile contained in a single record can bring as much as $500.”

Lastly, the Target, Sony and Department of Defense hacks bring into focus the need for further action to prevent data breaches that could potentially have deadly or serious repercussions. If major corporations or the federal government can’t protect their data networks, what chance does a primary care provider or long-term care agency have to protect a patient’s medical record?

Medical records include sensitive personal information such as a person’s blood type, HIV status, cancer or MS diagnosis, etc., that goes well beyond our Social Security and financial data. I develop plans for all types of health-care providers around the country and can safely say that a good majority of them have don’t have adequate firewalls, data security procedures or even business continuity plans to protect their electronic health records. I’m sounding the alarm and don’t have all the answers but want to start the conversation about how to protect patients and their data.

Nora O'Brien is the principal consultant of Connect Consulting Services, a health-care emergency management firm that provides plan development, training and drills, and exercise services to health-care agencies throughout the U.S. She has a master’s degree in Public Affairs, Disaster and Emergency Management and is a Certified Emergency Manager. She can be reached at or @NoraConnect on Twitter.

This commentary was originally published by Emergency Management