Cybersecurity Alert:
Web-Based PT EMR Gets Even More Risky
Yesterday, US-CERT (The United States Computer Emergency Readiness Team) disclosed that your wireless network is vulnerable to hackers. Technical details are listed at the end of this blog.
HOW THIS IMPACTS YOUR PRACTICE
With web-based PT EMR, PHI is sent to the therapist’s computer where it resides in an unencrypted format. The vulnerability is obvious: Hackers can crack your WPA(2) encryption and literally copy/export the data stream of PHI. If you log into your EMR on an internet browser (Chrome, Safari, Firefox, Edge), you have this vulnerability right now. This web-based PT EMR vulnerability is unacceptable.
With Systems 4PT, PHI is accessed through a VPN (as is recommended by US-CERT). With this technology, unencrypted PHI data is never on the therapist’s computer. In fact, the PHI never leaves our Data Center (the therapist edits the secure data, remotely).
If you’re using web-based PT EMR, the risks are amplified further. A leading web-based PT EMR advertises “Anywhere Access” and “Any employee can access your PHI from any internet connected device, anywhere, anytime.” The risks with this approach are unacceptable.
We discussed the unacceptable vulnerabilities of web-based PT EMR above; that is, if a hacker is in your system, they can simply copy/export the stream of unencrypted EMR. Moreover, your vulnerabilities skyrocket if employees (or hackers) can log into ANY wireless network, using ANY computer, ANYWHERE, ANYTIME. This concept encourages the scenario where the vulnerable EMR (where unencrypted PHI can be exported) can log into an unprotected wireless network on an infected computer. And you, the practice owner, have absolutely no control over the process. (You should not accept this risk.)
With Systems 4PT, the practice owner decides which computers can access their PHI.
Hacking is obviously accelerating. The “bad guys” are getting better each day.
The bottom line: If you’re using web-based PT EMR, we strongly advise against it. Systems 4PT is the leader in outpatient rehab cybersecurity. We don’t use web-based navigation, we don’t put unencrypted PHI on your computer. Instead, we use a VPN and we don’t let “any employee access your PHI from any computer, anywhere, anytime.”
To be clear, we’re not saying that your web-based PT EMR is not HIPAA compliant. We’re saying that this type of software makes your practice very, very vulnerable to hackers and a PHI data breach. And when that happens, you’re the one who’s not HIPAA compliant.
Completely unacceptable.
a
BACKGROUND
Most practices use wireless networks for internet access. The most widely used forms of encryption are WPA(1) and WPA(2). It’s very important that you know which type of encryption you’re using.
Scary fact: Any tech enthusiast worth their salt can hack a WPA(1) encryption in about 15 minutes. It is important that you verify that your practice WiFi is not using WPA(1).
Now we learn that WPA(2) encryption is vulnerable. Yesterday, an advisory from US-CERT publicly disclosed WPA(2) vulnerability to KRACK (or Key Reinstallation Attacks).
Systems 4PT anticipates that all the major router vendors will either release a patch for current hardware, or in a worst-case scenario, develop a new encryption protocol. Until then, all WiFi traffic is at risk, meaning that hackers will be able to eavesdrop on all your WiFi traffic and steal PHI from vulnerable devices that connect to the internet wirelessly.
The practice owners bear civil and criminal liability for any PHI data breach. US-CERT provided three suggestions to help you mitigate the problem while you wait for hardware companies to update router firmware.
- Update your router regularly to check for security patch updates. If you don’t know how to do this, search: How to update my [band name, model #] router
- Stop using WiFi until your router provides a security patch
This would involve connecting to CATV ethernet cables and turning of the wireless access to the router. There’s no question, this option limits mobility, but it fixes the problem.
For example, Systems 4PT’s Technology Center does not use WiFi for business operations.
- A much less intrusive option is using Virtual Private Networks (VPN) to obfuscate your internet usage, especially if you keep using WiFi, and especially in those places where you don’t control the wireless network
Systems 4PT is not web-based. PHI is accessed over a VPN. With this technology, unencrypted PHI data is never on the therapist’s computer. In fact, the PHI never leaves our Data Center (the therapist edits the secure data, remotely).
CONCLUSION
Your practice can achieve 99.9% cybersecurity if you follow the US-CERT recommendations and use Systems 4PT’s VPN rather than web-based PT EMR, and if you follow our cybersecurity protocol.