Cybersecurity Risks of Web-Based PT EMR
The United States Computer Emergency Readiness Team- or US-CERT, disclosed that your wireless network is vulnerable to hackers. Most practices use wireless networks for internet access. The most widely used forms of encryption are WPA(1) and WPA(2). You must know which type of encryption you’re using. Scary fact: Any tech enthusiast worth their salt can hack a WPA(1) encryption in about 15 minutes. It is important that you verify that your practice WiFi is not using WPA(1). Now, we learn that WPA(2) encryption is vulnerable. Yesterday, an advisory from US-CERT publicly disclosed WPA(2) vulnerability to KRACK (or Key Reinstallation Attacks).
The United States Computer Emergency Readiness Team- or US-CERT, disclosed that your wireless network is vulnerable to hackers. Most practices use wireless networks for internet access. The most widely used forms of encryption are WPA(1) and WPA(2). You must know which type of encryption you’re using. Scary fact: Any tech enthusiast worth their salt can hack a WPA(1) encryption in about 15 minutes. It is important that you verify that your practice WiFi is not using WPA(1). Now, we learn that WPA(2) encryption is vulnerable. Yesterday, an advisory from US-CERT publicly disclosed WPA(2) vulnerability to KRACK (or Key Reinstallation Attacks).
How Do The Risks Affect Your Physical Therapy Clinic
With web-based PT EMR, PHI is sent to the therapist’s computer where it resides in an unencrypted format. The vulnerability is obvious: Hackers can crack your WPA(2) encryption and literally copy/export the data stream of PHI. If you log into your EMR on an internet browser (Chrome, Safari, Firefox, Edge), you have this vulnerability right now. This web-based PT EMR vulnerability is unacceptable.
With Systems 4PT, PHI is accessed through a VPN (as is recommended by US-CERT). With this technology, unencrypted PHI data is never on the therapist’s computer. In fact, the PHI never leaves our Data Center (the therapist edits the secure data, remotely).
If you’re using web-based PT EMR, the risks are amplified further. A leading web-based PT EMR advertises “Anywhere Access” and “Any employee can access your PHI from any internet connected device, anywhere, anytime.” The risks with this approach are unacceptable.
We discussed the unacceptable vulnerabilities of web-based PT EMR above; that is, if a hacker is in your system, they can simply copy/export the stream of unencrypted EMR. Moreover, your vulnerabilities skyrocket if employees (or hackers) can log into ANY wireless network, using ANY computer, ANYWHERE, ANYTIME. This concept encourages the scenario where the vulnerable EMR (where unencrypted PHI can be exported) can log into an unprotected wireless network on an infected computer. And you, the practice owner, have absolutely no control over the process. (You should not accept this risk.)
With Systems 4PT, the practice owner decides which computers can access their PHI. Hacking is accelerating. The “bad guys” are getting better each day. The bottom line: If you’re using web-based PT EMR, we strongly advise against it. Systems 4PT is the leader in outpatient rehab cybersecurity. We don’t use web-based navigation and don’t put unencrypted PHI on your computer. Instead, we use a VPN and don’t let “any employee access your PHI from any computer, anywhere, anytime.” To be clear, we’re not saying that your web-based PT EMR is not HIPAA compliant. We’re saying that this type of software makes your practice vulnerable to hackers and a PHI data breach. And when that happens, you’re the one who’s not HIPAA compliant. Completely unacceptable.
Systems4PT Reduces Cyber Security Risks
Systems 4PT anticipates that all the major router vendors will either release a patch for current hardware or, in a worst-case scenario, develop a new encryption protocol. Until then, all WiFi traffic is at risk, meaning hackers can eavesdrop on it and steal PHI from vulnerable devices that connect to the internet wirelessly.
The practice owners are civil and criminally liable for any PHI data breach. US-CERT provided three suggestions to help mitigate the problem while you wait for hardware companies to update the router firmware.
Update your router regularly to check for security patch updates. If you don’t know how to do this, search: How to update my [band name, model #] router
- Stop using WiFi until your router provides a security patch.
This would involve connecting to CATV ethernet cables and turning of the wireless access to the router. There’s no question this option limits mobility, but it fixes the problem. For example, Systems 4PT’s Technology Center does not use WiFi for business operations. Alternatively, a much less intrusive option is using Virtual Private Networks (VPN) to obfuscate your internet usage, especially if you keep using WiFi and especially in those places where you don’t control the wireless network
Systems 4PT is not web-based. PHI is accessed over a VPN. This technology ensures unencrypted PHI data is never on the therapist’s computer. The PHI never leaves our Data Center (the therapist edits the secure data remotely. Fill out the form below to schedule a free demo and witness for yourself how Systems4PT EMR protects your patient data and clinic reputation.