Strong Warning Issued to Hospitals by HHS About EHR Security 

Last year, the Department of Health & Human Services has issued a strong warning to U.S. hospitals, highlighting the growing cyber threats to healthcare. The Federal agency’s report on hospital cyber resiliency noted that the widespread adoption of health information technology, driven by the Health Information Technology for Economic and Clinical Health (HITECH) Act, the Affordable Care Act, and the 21st Century Cures Act, has expanded the healthcare industry’s vulnerability to cyberattacks. 

“Directly targeted ransomware attacks aimed to disrupt clinical operations are an outsized and growing cyber threat to hospitals,” HHS emphasized. “Ransomware is currently the largest threat to this sector and deserves immediate attention—especially considering the impact the nonavailability of services can have on patient care and safety.” 

Ransomware attacks are often combined with the theft of sensitive patient data. According to the HHS Cybersecurity Program, electronic health records (EHRs) are prime targets for cyberattacks because they contain valuable protected health information (PHI) such as names, social security numbers, geographic data, and biometrics. This data is highly profitable for cybercriminals and difficult to secure once exposed. 

Security Regulations Regarding EMR/EHR According to HIPAA

The HHS warning highlights significant vulnerabilities in healthcare information systems that expose organizations to ransomware attacks, data breaches, and other cyber threats. Healthcare providers must recognize these warnings as urgent calls to action rather than routine advisories. The implications extend beyond technical concerns: Inadequate EHR security creates legal liability, compromises patient care, and damages institutional reputation.

Common threats to EHR security include:

• Insider threats: Staff members who accidentally or intentionally misuse their access to patient records.
• Third-party risks: Vendors and business associates with access to systems but potentially inadequate security practices.
• Legacy systems: Outdated software and hardware that no longer receive security updates.
• Mobile device vulnerabilities: Unsecured smartphones and tablets used to access patient information.
• Cloud security gaps: Inadequate protection for data stored in cloud environments.
• Phishing attacks: Targeted campaigns designed to steal credentials from healthcare workers.
• Inadequate backup protocols: Insufficient or untested backup systems that fail during recovery scenarios.

These threats directly connect to HIPAA non-compliance when organizations fail to implement required safeguards. For example, a ransomware attack exploiting unpatched software represents a violation of the HIPAA Security Rule’s system protection requirements.

The financial consequences of these attacks can be severe. According to IBM’s 2024 Cost of a Data Breach Report, healthcare breaches cost organizations an average of $9.77 million. One example is the recent ransomware settlement involving Heritage Valley Health System, where the Office for Civil Rights imposed a $950,000 fine and required a corrective action plan. Incidents like this underscore the importance of robust cybersecurity measures to prevent breaches and reduce risks. 

Security regulations regarding EMR/EHR according to HIPAA include implementing reasonable and appropriate administrative, physical, and technical safeguards for protecting ePHI. The HIPAA Security Rule establishes specific mandates for protecting EHRs. It requires regulated entities to have:

• Administrative safeguards: Risk analysis, security management processes, workforce training, and contingency planning.
• Physical safeguards: Facility access controls, workstation security, and device/media controls.
• Technical safeguards: Access controls, audit controls, integrity controls, and transmission security.
• Organizational requirements: Business associate contracts and documentation requirements.
• Policies and procedures: Implementation of reasonable and appropriate security measures.

Healthcare organizations should conduct a comprehensive security risk assessment to identify vulnerabilities. Then they should develop a remediation plan that prioritizes critical gaps, updating security policies and procedures, implementing technical safeguards, and providing staff training on security protocols. Regular security audits help maintain ongoing compliance and adapt to emerging threats.

EHR Security Measures and Importance

Because EHRs are prime targets, security is increasingly important. EHR security encompasses specialized safeguards designed to protect ePHI within healthcare information systems. EHR security must address both the technical vulnerabilities of digital systems and the unique privacy requirements mandated by healthcare regulations.

The foundation of effective HIPAA EHR security rests on three core principles:

1. Confidentiality protects against unauthorized access to sensitive patient data.
2. Integrity maintains the accuracy and consistency of health records throughout their lifecycle.
3. Availability makes certain that authorized users can access critical information when needed for patient care.

Essential EHR Security Measures

These EHR security measures can help healthcare organizations protect patient data while meeting HIPAA requirements:

• Access controls: Role-based permissions that limit data access to authorized personnel based on job function and need-to-know basis.
• Authentication systems: Multi-factor authentication requiring multiple verification methods before granting system access.
• Encryption: Data encryption both at rest and in transit to protect information even if systems are breached.
• Audit trails: Comprehensive logging of all system activities to track who accessed records and what changes were made.
• Regular EHR security risk analysis: Systematic evaluation of security vulnerabilities and implementation of mitigation strategies.
• Backup and recovery: Regular data backups with tested recovery procedures to maintain availability during incidents.
• Physical safeguards: Restricted physical access to servers and workstations containing ePHI.
• Security awareness training: Ongoing education for all staff on security protocols and threat recognition.

EHR Privacy and Security Concerns

Data integrity and privacy represent distinct but interconnected aspects of EHR privacy and security concerns. Data integrity focuses on maintaining the accuracy and completeness of health records throughout their lifecycle: preventing unauthorized alterations, detecting corrupted data, and preserving the reliability of medical information.

Privacy centers on controlling who can access patient information and under what circumstances. Both elements require dedicated protection measures to maintain HIPAA compliance.

While encryption provides a critical layer of protection for EHR data, it cannot serve as a comprehensive security solution to EHR security breaches. Encrypted data remains vulnerable if access controls are weak, authentication systems are compromised, or insiders misuse their legitimate access privileges. Healthcare organizations must implement a multi-layered security approach that addresses the full spectrum of potential vulnerabilities to address EHR privacy and security issues.

Access controls, audit logs, and regular risk assessments work together to maintain both integrity and privacy of electronic health records. Access controls limit data exposure based on role and necessity. Audit logs create accountability by tracking all interactions with protected health information. Risk assessments identify emerging vulnerabilities before they can be exploited.

“The shift to the cloud has gained momentum because it reduces technical debt and improves security,” says Jaimie Fox, Senior Technology Strategist at Microsoft. “Cloud providers offer far greater security than individual hospitals, allowing healthcare providers and EHR vendors to securely move infrastructure while focusing on innovation and efficiency.” 

Many healthcare providers are increasingly recognizing the necessity to take advantage of the cloud’s advantages over traditional infrastructure. However, this shift raises a critical question: How can healthcare organizations protect mission-critical systems from cyber threats while ensuring they remain operational for patient care? 

Enhancing Cloud Based EHR Security

With growing cyber threats to EHR systems, healthcare organizations must adopt proven strategies for cyber resilience. Key methods include leveraging cloud-based security infrastructure, comprehensive risk mitigation, and integrating AI into security workflows to enhance readiness against attacks. 

With limited cybersecurity personnel, healthcare organizations have an opportunity to use the cloud to bolster their cybersecurity posture as well as address technical debt that plagues the majority of U.S. hospitals. While complying with federal, state, and local regulations is crucial, mitigating cybersecurity risks goes beyond just meeting compliance standards.  

“In cyber resilience, protecting data availability is as critical as ensuring its confidentiality and integrity,” says David Houlding, Microsoft’s Director of Global Healthcare Security and Compliance Strategy. “Healthcare organizations must also defend against breaches, insider threats, and third-party risks, which can cause severe disruptions, including system shutdowns.” 

The cloud’s flexibility and scalability enable the rapid integration of advanced, data-intensive technologies that help healthcare cybersecurity professionals strengthen security and empower clinicians to apply cutting-edge tools to patient care. 

“AI capabilities, which enhance productivity and reduce costs in EHR systems, are only achievable in a cloud environment,” notes Fox. “Traditional on-premises systems cannot support these advanced AI functions, limiting innovation and cutting-edge solutions in clinical care.” 

AI can also revolutionize healthcare cybersecurity by quickly identifying and responding to potential threats to data, systems, and applications.  

“With AI, security analysts can detect and respond to sophisticated attacks, such as phishing and spear phishing, which are now becoming more widespread and cheaper to execute due to attackers also using AI-driven automation,” says Houlding. “Additionally, AI can provide real-time guidance, helping security teams improve their skills on the job, making them better equipped to handle the rapidly evolving threat landscape.” 

As healthcare organizations transition to the cloud, balancing innovation with security is essential.  

Choosing the Right Cyber Resilience Partner 

By leveraging cloud-based security and AI-driven protections, healthcare providers can safeguard critical systems while driving clinical innovations in patient care. 

“Commvault is a trusted Microsoft partner and a key partner for healthcare organizations seeking true cloud cyber resilience on Azure. They have an unmatched track record, and as you’ve heard from our colleagues, their value proposition is unique and industry-leading, says Karen Cox, Global Healthcare Partner Strategy Leader at Microsoft. 

“Commvault is a leader and early participant in the Microsoft Copilot for Security Partner Program, using the latest technology to protect enterprises,” she continues. “Their solutions are fully integrated with Microsoft security, co-engineered with Microsoft, and adhere to Azure Protection Services standards. This makes Commvault an ideal partner for safeguarding healthcare applications and data, whether in the cloud or a hybrid environment.” 

Healthcare organizations can strengthen their recovery strategies against EHR attacks by leveraging Commvault Cleanroom Recovery, the only solution validated by the Enterprise Strategy Group for ensuring recovery into a guaranteed clean environment. With ransomware posing a top threat, a secure and auditable recovery plan is essential for resuming operations quickly and safely.  

By using Commvault’s advanced cyber resilience platform, healthcare organizations can recover quickly and safely without the risk of reinfection, protecting patient data and ensuring long-term operational security. Download our comprehensive guide to prepare your healthcare organization with practical steps and best practices for cyber recovery.