We often hear that if an office uses a cloud based EMR (rather than having a server in the office), that they don’t need to worry about HIPAA anymore. The reasoning is that since all of the data is no longer in the office and is stored on the cloud provider’s servers, that the office will no longer ePHI in their office.
Unfortunately, there are many reasons why this isn’t true. But for this week’s cartoon, we will illustrate just a single reason.
If an employee of an office were to get a phishing email that contained a malicious link and they clicked on the link, then that computer could be taken over by a remote attacker. Once the attacker had access to that computer, he would also have access to the cloud-based EMR. From there, it’s a simple task to steal all of the data.
In this scenario, who was breached? The EMR vendor? No, because their security is intact. It was an authorized user account from the physician’s office that accessed the data. In this case, it is the physician’s office.
HIPAA regulations don’t stop just because the data has moved to the cloud. Covered Entities and Business Associates still must do what is reasonable and appropriate to protect that data. Phishing attacks are one of the most common forms of attacks and they are also one of the hardest to guard against. It takes training of your staff and good protection in place to mitigate this risk.
This type of attack has been used in some big name breaches such as the Peachtree Orthopedics breach in 2016.