The U.S. Department of Health and Human Services building is shown Aug. 16, 2006, in Washington. (Photo by Mark Wilson/Getty Images)

The Department of Health and Human Services Cybersecurity Coordination Center (HC3) released new guidance outlining the biggest threats to the electronic medical record (EMR) and electronic health record (EHR) systems and best practice mitigation.

Although there are key security basics included in the insights, HC3 also included an overview of recommended read team and blue exercises as an “imperative to understanding issues with an organization’s network, vulnerabilities, and other possible security gaps.”

The 35-page document shines a light on the importance of EHR technologies to patient care, but also how threat actors are able to exploit the platforms to gain a foothold onto healthcare networks. Phishing, malware, and ransomware are among the most common threats, as well as encryption blind spots and cloud threats.

Last year, the healthcare sector faced 578 reported data breaches, affecting over 41.5 million patients. In January 2022 alone, 2 million individuals have been impacted by 38 separate data breaches.

Covered entities and relevant business associates will find the guidance includes an overview of each threat type and the importance of data encryption. While The Health Insurance Portability and Accountability Act doesn’t overtly require data encryption, it does mandate that if a provider chooses not to encrypt data that it provides evidence of what it will use to keep the data secure.

HC3 also provides a breakdown of preventative strategies specific to securing the EMR and EHR, which include evaluating the risk before an attack and the inclusion of red and blue team exercises. The guide breaks down the risk of ransomware against the remote desktop protocol (RDP) and the need for multi-factor authentication and endpoint detection and response (EDR).

Each section outlines the most important measures, as well as its importance to overall security posture.

While it’s impossible to completely eliminate risk, these recommendations can drastically reduce the impact of a potential attack. Given that previous HHS data shows the majority of health systems faced a cyberattack in the last 18 months and data show all healthcare entities are targets, it’s an ideal time to review these insights to ensure adherence to best practices.

The guide joins previously released HHS insights on ransomware, threat mitigation, and its five-volume cybersecurity guidance broken down by organization type.