How to Protect Provider Endpoints, the Critical Edge of your Network

[UPDATED: January 2025]

IT systems in a healthcare setting need to ensure that physicians and other providers can care for patients safely and effectively. Electronic health record (EHR) systems used by these providers have improved the delivery of care with more complete patient records, reduced prescribing errors, and improved diagnoses and preventive care. Data analytics and medication tracking also bring new efficiencies and opportunities that are not possible with paper-based charting. However, this reliance on technology poses a potential patient-safety issue if the device running a critical application such as an EHR becomes unusable. Delayed patient care due to a cyberattack can lead to poor outcomes and put patients at risk.

Protecting the endpoint devices that providers use—from tablets, laptops, or office computers to workstations, patient rooms, nursing stations, and others—is therefore essential.

Threats and Penalties Increase

In recent years, there has been an increase in threat actors, phishing campaigns, and ransomware incidents disrupting the delivery of care. The Department of Health and Human Services (HHS) has logged 2024 as a record year for data breaches. As of December 2024, the Department of Health published a total of 677 major health data breaches affecting more than 182 million people.

Beyond the impact on patient care when providers can’t access their systems, there are also significant financial impacts. An infiltration of ransomware can result in a healthcare organization paying hundreds of thousands of dollars, with downtime costs adding five to ten times that amount. Potential fines for a breach are also substantial. HHS has established four penalty tiers for failure to protect PHI:

• First Tier: $100-$50,000 per incident (up to $1.5M)
• Second Tier: $1,000-$50,000 (up to $1.5M)
• Third Tier: $10,000-$50,000 (up to $1.5M) per incident
• Fourth Tier: at least $50,000 (up to $1.5M) per incident

Despite this, 2024 was a record year for data breaches including the highly publicized Change Healthcare breach which impacted over 100 million patients.

These trends have prompted a proposal for the first revision of the HIPAA security rule in over 12 years. The last time the rule was updated was in 2013 as part of the Omnibus Final Rule.

The proposed updates require greater specificity for conducting risk analysis and reporting for security incidents. The most impactful of the changes on the physician endpoint are mandates for new security controls. They include:

• Encryption of all ePHI at rest and in transit with limited exceptions
• Requiring the use of multi-factor authentication with limited exceptions
• Vulnerability scanning at least every 6 months
• Penetration tests testing at least every 12 months
• Anti-malware protection
• Removal of unnecessary software

More information on the proposed changes can be found on the December 27, 2024, fact sheet issued by HHS.

With increased threats and new HIPAA regulations looming, it is critical to use the most up to date security strategies to protect physicians and other provider endpoints. This can start with endpoint detection and response (EDR).

Many EHR software vendors have administrative and technical safeguards built into their applications, such as lockouts and complex password policies. However, EHRs do not address the security of the underlying operating system on endpoints where the software runs. EDR will meet the requirements of anti-malware.

Malware today can change rapidly to avoid detection, potentially leading to ransomware attacks. It is crucial to protect the endpoint with technology that can address sophisticated strains of malware. One effective defense is the use of endpoint detection and response (EDR). EDR detects malware and ransomware attacks in real time, using artificial intelligence and the cloud to detect anomalies such as fast-changing polymorphic malware. The EDR software then contains, tests, and eliminates the malware to protect the endpoint device and prevent the malware from spreading throughout your network. This allows physicians and other providers to continue caring for patients without interruption and ensures that business and clinical systems are protected.

EDR provides the protection needed in today’s threat landscape and can meet these proposed HIPAA security requirements.

Penetration Testing Every 12 Months

Penetration testing (“pen testing”) is a critical component of securing physician endpoints, ensuring that vulnerabilities within the system are identified and mitigated before malicious actors can exploit them. By simulating real-world cyberattacks, pen tests help to reveal weaknesses in the network, applications, and device configurations that could be leveraged to gain unauthorized access to sensitive patient information.

Pen testing enables healthcare providers to:

• Identify vulnerabilities: Discover potential security gaps that could be exploited by hackers, allowing for timely remediation.
• Enhance security measures: Strengthen the overall security posture by addressing identified weaknesses and implementing robust safeguards.
• Meet compliance requirements: Satisfy industry regulations and standards, such as HIPAA, by demonstrating proactive security measures.
• Protect patient data: Safeguard sensitive patient information from breaches, ensuring confidentiality and maintaining trust with patients.

By conducting regular pen tests, healthcare organizations can stay ahead of emerging threats and continuously improve their security strategies, providing a safer environment for both providers and patients.

Engaging a managed service provider (MSP) or Managed Security Services Provider (MSSP) can offer several benefits as outside help with specific expertise is required to run pen tests. MSPs and MSSPs can also provide specialized expertise, continuous monitoring, and cost-effective solutions with a measurable ROI for the customer.

Encryption at Rest

Unauthorized attempts to access the computer will be challenging for a threat actor as long as the data remains encrypted and inaccessible. Consequently, even if the computer is lost or stolen, patient information remains secure. Tools such as Microsoft BitLocker can ensure that encryption at rest is maintained on physician endpoints. This is one of the reasons encryptions at rest is included in the new HIPAA requirement securing ePHI.

BitLocker offers strong encryption standards. Additionally, it supports hardware-based encryption which can enhance performance and security of Windows devices.

For Mac users, File Vault is the equivalent tool provided by Apple. File Vault encrypts the entire disk with a 256-bit key, ensuring that all data stored on the Mac remains protected. Like BitLocker, File Vault is integrated into the macOS, making it simple to enable and manage encryption on Mac devices.

Multi-Factor Authentication (MFA)

MFA is one of the most effective means of preventing account compromises by incorporating multiple factors of authentication, such as a password (something you know), a security token (something you have), or a fingerprint (something you are).

Some EHR vendors rely on server-level MFA rather than integrating it directly into their applications. With the new security rules proposed, it’s possible you will see more vendors close this gap, leading to improved security for patient data and increased compliance with HIPAA regulations.

Testimony before the United States Congress indicated that the absence of MFA in a Change Health system was the cause of the 2024 breach. This is likely the reason for its inclusion with limited exceptions in the proposed HIPAA security rule change.

Removal of Unnecessary Software

The rationale for this change is that software can contain vulnerabilities that malicious actors might exploit. By removing unnecessary software, you reduce your attack surface and limit potential vulnerabilities. This does not imply that the software is inherently bad; but if it is not being used, it brings additional risk. This is why the proposed updates to the HIPAA security rule include the requirement to remove unneeded software.

Windows Virtual Desktop Technologies

Another strategy to protect physician endpoints to meet the proposed compliance requirements is to use a virtual desktop solution such as Azure Virtual Desktop or AWS Workspace. These solutions run the Windows operating system on a host server in the cloud or in a secure datacenter, allowing physicians to access their EHR and patient records using a minimal endpoint device and secure connection wherever they are—in the clinic, from home, or on the road. The application of virtual desktop technologies provides security while minimizing risks associated with storing data on a local PC or laptop.

For example, if a physician’s laptop is stolen, no patient data would be stored on the machine since data is accessed remotely. The physician could connect from another device and resume work without fear of data compromise or breach penalties.

The Microsoft Virtual Desktop or AWS Workspace solutions are solid ways to bring the security of the cloud along with software defined networking.

Cloud security features such as encryption, network isolation, and continuous monitoring ensure that patient data is protected from unauthorized access.

In addition to increased security, a Windows virtual desktop solution offers potential cost savings. Since processing is done on a remote server, it doesn’t require a powerful local machine to run applications such as the EHR. The virtual desktop can be deployed quickly and facilitate secure remote access.

Discover the Best Approach to Protecting Your Provider Endpoints

EHRs and other digital technologies have revolutionized the delivery of care, making it critical to secure physician endpoints. EDR and virtual desktop technologies can be part of a comprehensive security strategy to prevent breaches, protect patient data, and minimize the risk of fines. Implementing encryption, multi-factor authentication, regular vulnerability scans, and penetration testing are essential steps toward protecting the physician endpoint while meeting the proposed security requirements for HIPAA.

For more information about our comprehensive security solutions, visit our Security & Compliance page, or contact MTS to explore your options!