INFO-6061 – Health Systems Environments II
Group Assignment
Unit 2 & 3
Total Marks – 92
Weight – 20%
Due Date: Week 6 @ Weekly Course Schedule Date and Time
General Instructions:
Use correct APA citation formatting and referencing.
Use Microsoft PowerPoint or an alternative with default margin, line spacing, font color and size.
Remember to include a cover page and a reference page.
Please review the marking rubric to ensure that you have completed the assignment accordingly.
Scenario:
This is a GROUP Assignment.
There are two (2) components to this group assignment:
(I)
Presentation
(II) e-Poster
You are a group of healthcare personnel working for a healthcare organization. Your Director of
Health Information just shared two reports on cybersecurity – one from the US and one from the UK
(see attachment in GA folder).
Upon reading the reports, your Director of Health Information is concerned about cybersecurity and
its impact on your organization. Your Director of Health Information would like you and your team
to develop a presentation and e-poster to share at the organization’s upcoming employee
professional development day. The Director of Health Information has asked that cybersecurity be
the main theme but focusing on risk management and the legality and ethics of digital healthcare.
However, given that you and your team members work in different department of your campustype healthcare organization, you will also focus on specific practice areas of your expertise.
Instructions:
As a group, here are the instructions your Director of Health Information has provided:
1. Read the uploaded resources from HHS Cybersecurity Program and Panda Mediacenter via link
https://www.pandasecurity.com/en/mediacenter/security/5-pillars-security-nhs/
2. Identify one (1) practice area from your group members (family medicine, nursing, pharmacy,
dentistry, physiotherapy, diagnostics etc)
3. Compare and contrast the content based on the US and UK resource
4. Create a PRESENTATION to with the following criteria:
Page 1 of 4
i)
Describe your Canadian campus-style healthcare provider
ii)
What findings are similar to your Canadian campus-style healthcare provider
iii)
What findings are different – if any – to your Canadian campus-style healthcare
provider
iv)
Identify relationship to one (1) of your group members practice setting; ensure you
identify the professional practitioner description of this practice setting.
v)
Based on the selection of the practice setting and professional practitioner, describe
minimum two (2) risks associated of the findings that are similar
vi)
Based on the selection of the practice setting and professional practitioner, describe
minimum two (2) risks associated of the findings that are different
vii)
Based on the selection of the practice setting and professional practitioner, describe
the legalization/regulation challenges associated with each risks from (v) and (vi)
viii)
Based on the selection of the practice setting and professional practitioner, describe
ethical issues that could be impacted by the risks from (v) and (vi)
ix)
With (v), (vi), and (vii) provide for each a minimum of two and maximum four
strategies to mitigate these issues from occurring within the practice setting and
professional practitioner chosen
x)
From the presentations by your two chosen organizations, how can Health Systems
Management graduates mitigate the risk identified and legalization/regulation
challenges.
For this presentation, it is a synchronous presentation that must be minimum three (3) and
maximum five (5) minutes. You can choose to facilitate the presentation or present a prerecorded presentation.
NOTE – Due to size limitation of uploading presentations to FOL, you can post to YouTube to
present and upload a link for grading and presentation. For this, you will share/upload your link
to the submission folder/dropbox for grading and showcasing your presentation.
5. In addition to your presentation, you will create an e-poster with the critical items from your
presentation which will be displayed within your organization during the professional
development day. The requirements of the e-poster can be a flyer, brochure or handout
format. You are to ensure you use a balance of text and images/graphics and appropriate
headings to communicate your theme/purpose description, practice setting, professional
practitioner, risk associated, legalization/regulation challenge, ethical issues, strategies for
each, and HSY graduate support.
6. You are to have a minimum of five (5) references.
Page 2 of 4
Unit 2/3 Presentation Rubric @ 15%
CATEGORY
Effectiveness
4
3
2
Project includes most
Project includes all
material needed to gain a
material needed to gain a comfortable
Project is missing more
comfortable understanding understanding of the
than two key elements.
of the topic.
material but is lacking one
or two key elements.
1
Points
Project is lacking
several key elements
and has inaccuracies.
Sequencing of
Information
Information is organized in Most information is
Some information is
a clear, logical way. It is
organized in a clear, logical logically sequenced. An There is no clear plan
easy to anticipate the type way. One item of
occasional item of
for the organization of
of material that might be information seems out of information seems out of information.
next.
place.
place.
Originality
Presentation shows
considerable originality
and inventiveness. The
content and ideas are
presented in a unique and
interesting way.
Presentation shows some
originality and
Presentation shows an
inventiveness. The content attempt at originality
and ideas are presented in and inventiveness.
an interesting way.
Presentation is a
rehash of other
people’s ideas and/or
graphics and shows
very little attempt at
original thought.
Spelling and Grammar
Presentation has no
misspellings or
grammatical errors.
Presentation has 1-2
misspellings, but no
grammatical errors.
Presentation has 1-2
grammatical errors but
no misspellings.
Presentation has more
than 2 grammatical
and/or spelling errors.
Use of Graphics
All graphics are attractive
(size and colors) and
support the
theme/content of the
presentation.
A few graphics are not
attractive but all support
the theme/content of the
presentation.
All graphics are attractive Several graphics are
but a few do not seem to unattractive AND
support the
detract from the
theme/content of the
content of the
presentation.
presentation.
Sources (minimum 2)
All sources (information
All sources (information
and graphics) are
and graphics) are
accurately documented,
accurately documented in
but one is not in the
the desired format.
desired format.
All sources (information
and graphics) are
Some sources are not
accurately documented, accurately
but two or more are not documented.
in the desired format.
Description of campusstyle healthcare provider
Findings – similar
Findings – different
Practice and Professional
Practitioner Explanation
Risk Associated
Legalization/regulation
challenge
Ethical issue impacted
Strategies
HSY graduates support
Total Score
/60
Page 3 of 4
Unit 2/3 ePoster Rubric @ 5%
Detailed Scoring Evaluation for Rubric
4 = Excellent/
Exemplary
Area
Organization
3 = Good/Proficient
2 = Fair/Partially Proficient
1 = Poor/
Incomplete
Assignment
Each required criteria providedRequirement
– as per guideline and CLEARLY
found/seen/visual
Mark
Aligned and presented on e-poster
Presentation
and Graphics
Grammar and
Mechanics
Content
Information is organized and has some whitespace between sections;
poster does not look cramped and draws attention to main message;
logical order
of content.
Attractive
in design,
layout and neatness; easy to read; graphics
and effects are relevant to service provider.
Text is brief and focused; identified most important information; text is
large enough to be visible from a distance; content is understandable
whenillustrations
briefly viewed.
Used
or graphics in simple but prominent fashion; colors
don’t clash; flows well and identified important information first;
avoided fonts that are difficult to read; used no more than three fonts.
Capitalization and punctuation are correct throughout the poster; no
grammatical errors; all pictures/graphs/graphics are captioned and
labelled as
required
e-Poster
has
theme, (source).
practitioner, practice setting, risk,
legislation/regulation, ethical issues, strategies clearly identified
Total
Addendum to A136 Academic Integrity Policy – Pursuant to Fanshawe College’s A136 Academic
Integrity policy, the Health Systems Management program does not permit the use of any
unauthorized technology tools. Technology tools include, but are not limited to, calculators,
textbooks, translation tools, course notes and resources, search engines (e.g. Google), and
artificial intelligence applications (e.g. ChatGPT or any other similar/equivalent platform). The
unauthorized use of these technology tools in any academic deliverable will result in the
applicable penalties as per A136 Academic Integrity policy. This can be applied individually or
group capacity, dependent on the offence identified and resulting investigation and
verification.
Page 4 of 4
/32
Electronic Medical Records
in Healthcare
02/17/2022
TLP: WHITE, ID# 202202171300
Agenda
•
What Is an EMR, and How Is It Used in Healthcare?
•
Top EHR Software Used in Hospitals
•
Benefits & Risks of Using EMR/HER
•
Why EMRs/EHRs Are Valuable to Cyber Attackers
•
How Are EMR/EHRs Stored and Handled?
•
EMR Compromised, Healthcare & Critical Industries Hacked
•
Healthcare Industry Under Attack
•
Healthcare Industry Under Attack, Part II
•
Top Data Breaches of 2021
•
Top Threats Against Electronic Medical & Health Records
•
Costs of Data Breach
•
Protecting EMR & EHR Data
•
References
Slides Key:
Non-Technical: Managerial, strategic and highlevel (general audience)
Technical: Tactical / IOCs; requiring in-depth
knowledge (sysadmins, IRT)
2
What Is an EMR and How Is It Used in Healthcare? EMR vs EHR
Electronic medical records (EMRs) and electronic health records (EHRs) are often used interchangeably. An EMR
allows the electronic entry, storage, and maintenance of digital medical data. EHR contains the patient’s records
from doctors and includes demographics, test results, medical history, history of present illness (HPI), and
medications. EMRs are part of EHRs and contain the following:
•
•
•
•
Patient registration, billing, preventive screenings, or checkups
Patient appointment and scheduling
Tracking patient data over time
Monitoring and improving overall quality of care
Electronic healthcare record process diagram
3
Top EMR/EHR Software Systems Used in Hospitals
Top 10 Inpatient EHR Vendors by Market Share
Courtesy of Definitive Healthcare’s HospitalView. (June 2021)
4
Benefits and Risks of Using EMR/EHR
Some benefits of using electronic medical records and electronic health records are:
•
Comprehensive patient-history records
•
Makes patient data shareable
•
Improved quality of care
•
Convenience and efficiency
Some risks of using electronic medical records / electronic health records are:
The risks to EHRs relate primarily to a range of factors that include user-related issues,
financial issues and design flaws that create barriers to using them as an effective tool
to deliver healthcare services. EMR is also a top target in healthcare breaches.
Additional risks are as follows:
• Security or privacy issues
• Potentially vulnerable to hacking
• Data can be lost or destroyed
• Inaccurate paper-to-computer transmission
• Cause of treatment error
5
Why EMRs/EHRs Are Valuable to Cyber Attackers
EMR/EHRs are valuable to cyber attackers because of the Protected Health Information (PHI) it contains and
the profit they can make on the dark web or black market. These 18 identifiers provide criminals with more
information than any other breached record. Extortion, fraud, identity theft, data laundering, Hacktivist /
Promoting Political Agenda and Sabotage are some ways cyber attackers use this data for profit.
HIPAA Protected Health Identifiers (PHI)
Names
Dates, except year
Telephone numbers
Geographic data
FAX numbers
Social Security numbers
Email addresses
Medical record numbers
Account numbers
Health plan beneficiary numbers
Certificate/license numbers
Vehicle identifiers and serial
numbers including license plates
Web URLs
Device identifiers and serial
numbers
Internet protocol (IP) addresses
Full face photos and comparable
images
Biometric identifiers
(i.e. retinal scan, fingerprints)
Any unique identifying number or
code
6
Why EMRs/EHRs Are Valuable to Cyber Attackers, Part II
According to IBM, stolen healthcare data is the most valuable, as the graph below shows:
7
How EMRs/EHRs Are Stored and Handled
EMR / EHR data is stored on dedicated servers in specific, known physical locations.
8
EMR Compromised, Healthcare & Critical Industries Hacked
In 2020, at least 2,354 U.S. government, healthcare facilities and schools were impacted by a significant
increase in ransomware. The cyber attacks caused significant disruption across the healthcare industry.
Organizations impacted by these attacks are as follows:
• 113 federal, state and municipal governments and agencies
• 1,681 schools, colleges and universities
• 560 healthcare facilities
• Pennsylvania Health Services Company (operates 400 hospitals & healthcare facilities)
9
Healthcare Industry Under Attack
Healthcare data breaches have increased significantly. According to the HIPAA Journal’s 2020 Healthcare Data
Breach Report, the healthcare industry in 2020 had the third largest number of data breaches on record since
2009.
10
Healthcare Industry Under Attack, Part II
Entities With the Most Data Breaches (per HIPAA Journal):
11
Top Data Breaches of 2021
In 2021, HHS received reports of data breaches from 578 healthcare organizations, impacting more than
41.45 million individuals. The following list is of organizations with the most individuals affected in 2021:
• Florida Pediatric Health Pediatric Organization: 3.5 million
• Florida Vision Care Provider: 3.25 million
• Wisconsin Dermatologist: 2.41 million
• Texas Health Network: 1.66 million
• Indiana General Health Provider: 1.52 million
• Ohio Pharmacy Network: 1.47 million
• Georgia Health Network: 1.4 million
• Nevada University Health Center: 1.3 million
• New York Anesthesiologist: 1.27 million
• New York Medical Management Solutions Provider: 1.21 million
In January 2022, 38 organizations reported nearly 2 million individuals were impacted by data breaches.
TLP: WHITE
12
Top Threats Against Electronic Medical & Health Records
• Phishing Attacks
• Malware & Ransomware Attacks
• Encryption Blind Spots
• Cloud Threats
• Employees
13
Phishing Attacks
A phishing attack is a type of social engineering attack where the threat actor pretends to be a trusted source and
tricks their target into opening an email or clicking a link, revealing their login credentials and depositing malware.
You can protect EMRs/EHRs by doing the following:
• Educate healthcare professionals
• Do not click links within an email that do not match, or has a TLD associated with suspicious sites
• Physicians should verify all EHR file-share requests before sending any data
14
Malware and Ransomware Attacks
Malware enters a healthcare system’s computer network through software vulnerabilities, encrypted traffic,
downloads, and phishing attacks. The effect of each type of malware attack ranges from data theft to harming
host computers and networks.
Ransomware is a type of malware that locks users out of their network system or computer until the threat
actor or hacker who launched the attack is paid for regained access to data, information, and files.
This could be dangerous for hospitals, healthcare facilities, and others who rely on EHRs or EMRs for up-todate information to provide patient care.
15
Encryption Blind Spots
Data encryption protects and secures EMR/EHR data while it is being transferred between on-site users and
external cloud applications. Blind spots in encrypted traffic could pose a threat to IT healthcare because threat
actors or hackers are able to use encrypted blind spots to avoid detection, hide, and execute their targeted attack.
Also helps with HIPAA, FISMA, and Sarbanes-Oxley Act of 2002 compliance.
16
Cloud Threats
More healthcare organizations are using Cloud services to improve patient care, so there is an increasing
need to keep private data secure while complying with HIPAA.
17
Employees: Insider Threats
Insider threats apply across industries, including the heath sector. It is recommended that your healthcare
organization has a cybersecurity strategy and policy that’s not only understood but followed and enforced. An
effective strategy involves:
•
•
•
•
Educating all healthcare partners and staff
Enhancing administrative controls
Monitoring physical and system access
Creating workstation usage policies
o Auditing and monitoring system users
o Employing device and media controls
o Applying data encryption
18
Costs of Data Breach
Data breaches targeting EMRs/EHRs have been costly
for the healthcare industry. According to IBM, the
average cost per incident in 2021 was $9.3 million, and
there were 40 million patient records compromised.
HIPAA developed four tiers of penalties for failure to
protect PHI:
First Tier: $100-$50K per incident (up to $1.5M)
Second Tier: $1,000-$50K (up to $1.5M)
Third Tier: $10,000-$50,000 (up to $1.5M) per incident
Fourth Tier: at least $50,000 (up to $1.5M) per incident
19
Protecting EMR & EHR Data
Here are a few strategies that healthcare leaders should consider to strengthen their organization’s cyber
posture:
• Evaluate risk before an attack
• Use VPN with multifactor authentication (MFA)
• Develop an endpoint hardening strategy
• Endpoint Detection and Response (EDR)
• Protect emails and patient health records
• Engage Cyber Threat Hunters
• Conduct red team / blue team exercises
• Moving beyond prevention
20
Protecting EMR & EHR Data – Evaluate Risk Before an Attack
Healthcare leaders should understand where operational vulnerabilities exist in their organization, from marketing
all the way down to critical health records. By understanding the scope of the task at hand, management and
other healthcare leaders can create a preparedness plan to address any weaknesses in digital infrastructure.
21
Protecting EMR & EHR Data – Use VPN with MFA
Leaders in the healthcare industry should consider developing a strategy to combat ransomware that targets
Remote Desktop Protocol (RDP) and other applications that face the Internet.
Healthcare leaders should also consider adding a VPN with multifactor authentication to avoid exposing their RDP
and prioritize patching for vulnerabilities in VPN platform and other applications.
22
Protecting EMR & EHR Data – Develop Endpoint Hardening Strategy with EDR
Developing an endpoint hardening strategy allows healthcare leaders the ability to harden their digital
infrastructure with multiple defense layers at various endpoints. This strategy also detects and contains an attack
before it can reach patient medical records or other sensitive information. Endpoint Detection and Response
(EDR) should also be added to detect and mitigate cyber threats.
23
Protecting EMR & EHR Data – Emails & Patient Health Records
It is imperative that patient health records and emails are protected. In addition to threat actors using Remote
Desktop Protocol (RDP) to gain access, HIVE ransomware attacks malicious files attached to phishing emails
to gain access to health records and company systems.
Email security software with URL filtering and attachment sandboxing is recommended as a mitigation strategy.
24
Protecting EMR & EHR Data – Engage Cyber Threat Hunters
Threat hunting is a proactive practice that finds threat actors or hackers who have infiltrated a network’s initial
endpoint security defenses.
This type of human threat detection capability operates as an extension of the organization’s cyber team that will
track, prevent, or even stop potential cyber attacks on an organization.
25
Protecting EMR & EHR Data – Conduct Red Team / Blue Team Exercises
Red and blue team exercises are essentially a face-off between two teams of highly trained cybersecurity
professionals:
•
•
Red Team uses real-world adversary tradecraft to compromise the environment.
Blue Team consists of incident responders who work within the security unit to identify, assess and respond to
the intrusion.
These exercises are imperative to understanding issues with an organization’s network, vulnerabilities and other
possible security gaps.
26
Protecting EMR & EHR Data – Moving Beyond Prevention
It is recommended that healthcare leaders shift their focus by moving beyond a prevention strategy and creating a
proactive preparedness plan.
This helps understand vulnerabilities in the current network landscape and provides guidance needed for
framework that will be effective in identifying and preventing attacks, which is key to protecting EMRs/EHRs, along
with access to vital patient data.
27
Reference Materials
References
• Duffin, Sonya. “Top 10 Cybersecurity Best Practices to Combat Ransomware,” Threat Post. November 12,
2021. https://threatpost.com/cybersecurity-best-practices-ransomware/176316/.
• Green, Jeff. “Disadvantages of EHR systems – dispelling your fears,” EHR Knowledge Zone. August 15,
2019. https://www.ehrinpractice.com/ehr-system-disadvantages.html.
• “What are the Consequences of a Medical Record Breach,” American Retrieval. September 22,2020.
• O’Connor, Stephen. “Top 5 Risks You May Encounter After an EHR Software Implementation,” Advanced
Data Systems Corruption. January 31, 2017. https://www.adsc.com/blog/top-5-risks-you-may-encounterafter-an-ehr-software-implementation.
• Marchesini,Kathryn;Massihi, Ali. “4 Ways Using the HHS Security Risk Assessment Tool Can Help Your
Organization,” Health IT Buzz. October 30, 2019. https://www.healthit.gov/buzz-blog/privacy-and-securityof-ehrs/4-ways-using-the-hhs-security-risk-assessment-tool-can-help-your-organization.
• “2020 Healthcare Data Breach Report: 25% Increase in Breaches in 2020,” HIPAA Journal. January 19,
2021. https://www.hipaajournal.com/2020-healthcare-data-breach-report-us/.
• “Programs/Electronic Medical Records(EMR),” MedixOnline. May 21, 2021.
https://medixonline.ca/programs/electronic-medical-records-emr/.
• Luyer, Eric M. “Cybersecurity Risks in Medical Devices Are Real,” MedTech Intelligence. February 23, 2017.
https://www.medtechintelligence.com/feature_article/cybersecurity-risks-medical-devices-real/.
• Cepero, Robert. “How Hospitals Can Protect Their EMR Data,” Bleuwire. December 16, 2020.
https://bleuwire.com/how-hospitals-can-protect-their-emr-data/.
29
References
• Cepero, Robert. “How Hospitals Can Protect Their EMR Data,” Bleuwire. December 16, 2020.
https://bleuwire.com/how-hospitals-can-protect-their-emr-data/.
• Vaidya, Anuja.“5 ways U.S. hospitals can protect against ‘imminent’ ransomware threat,” MedCityNews.
October 29, 2020. https://medcitynews.com/2020/10/5-ways-u-s-hospitals-can-protect-against-imminentransomware-threat/.
“Understanding EMR vs. EHR,” NextGen Healthcare. July 19, 2019. https://nextgen.com/insights/emr-vsehr/emr-vs-ehr.
• “Why is PHI Valuable to Criminals?,” Compliancy Group. November 16, 2020.
https://compliancy-group.com/why-is-phi-valuable-to-criminals/.
•
• Taylor, Tori. “Hackers, Breaches, and the Value of Healthcare Data.” December 8, 2021.
https://www.securelink.com/blog/healthcare-data-new-prize-hackers/.
• Adams, Katie. “10 Biggest Patient Data Breaches in 2021,”Becker Hospital Review. December 7,2021.
https://www.beckershospitalreview.com/cybersecurity/10-biggest-patient-data-breaches-in-2021.html.
• “Costs of a Data Breach Report 2021,” IBM Security. July 28, 2021.
https://www.ibm.com/downloads/cas/OJDVQGRY#:~:text=Healthcare%20organizations%20experienced%20th
e%20highest,industries%2C%20and%20year%20over%20year.
• Deford, Drex. “Under Siege: How Healthcare Organizations Can Fight Back,” CPO Magazine. November
25,2021. https://www.cpomagazine.com/cyber-security/under-siege-how-healthcare-organizations-can-fightback/.
• Kumar, S.Rakesh, Gayathri,N. Muthuramalingam,S., Balamurugan, B, Ramesh,C., Nallakaruppan, M.K.
“Medical Big Data Mining and Processing in e-Healthcare,” Internet of Things in BioMedical Engineering.
November 1,2019. https://www.sciencedirect.com/topics/engineering/electronic-health-record .
30
References
• “What Is An EMR? About EMR Systems – Electronic Medical Records,” Healthcare IT Skills. January 5, 2020.
https://healthcareitskills.com/what-is-an-emr-ehr/.
• “The 10 Most Common Inpatient EHR Systems by 2021 Market Share,” Definitive Healthcare
• Zelinska, Solomija. “Which Types of EMR/EHR Systems are the Best for Your Business,”Empeek. March 5,
2021. https://empeek.com/which-types-of-emr-ehr-systems-are-the-best-for-your-business/ .
31
?
Questions
Questions
Upcoming Briefs
• 3/3 – Healthcare Cybersecurity: 2021 Year-in-Review /
A Look Forward to 2022
Product Evaluations
Recipients of this and other Healthcare Sector
Cybersecurity Coordination Center (HC3) Threat
Intelligence products are highly encouraged to provide
feedback. If you wish to provide feedback, please
complete the HC3 Customer Feedback Survey.
Requests for Information
Need information on a specific cybersecurity
topic? Send your request for information
(RFI) to HC3@HHS.GOV.
Disclaimer
These recommendations are advisory and are
not to be considered as Federal directives or
standards. Representatives should review and
apply the guidance based on their own
requirements and discretion. HHS does not
endorse any specific person, entity, product,
service, or enterprise.
33
About Us
HC3 works with private and public sector partners to improve cybersecurity
throughout the Healthcare and Public Health (HPH) Sector
Products
Sector & Victim Notifications
White Papers
Threat Briefings & Webinar
Direct communications to victims or
potential victims of compromises,
vulnerable equipment or PII/PHI theft,
as well as general notifications to the
HPH about current impacting threats
via the HHS OIG.
Document that provides in-depth
information on a cybersecurity topic to
increase comprehensive situational
awareness and provide risk
recommendations to a wide audience.
Briefing presentations that provide
actionable information on health sector
cybersecurity threats and mitigations.
Analysts present current cybersecurity
topics, engage in discussions with
participants on current threats, and
highlight best practices and mitigation
tactics.
Need information on a specific cybersecurity topic, or want to join our Listserv? Send your request for information (RFI) to
HC3@HHS.GOV,or visit us at www.HHS.Gov/HC3.
34
Contact
www.HHS.GOV/HC3
HC3@HHS.GOV
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
