The health care sector, especially small- and medium-sized independent medical practices, has seen a significant uptick in cyberattacks for a multitude of reasons. One primary contributor to the trend is the fact that hackers know there is a very high likelihood that a health care entity or doctor will pay ransom. In fact, 90 percent or more of attacks on health care organizations result in ransom payment currently.
There are numerous reasons singly or in combination that may motivate a group to pay the ransom, and hackers know this. For example, in light of state and federal regulatory requirements around the protection of data, providers will seek to prevent data being released publicly. Health care providers fearful of significant legal and public relations consequences of the disclosure of private patient records are likely to pay ransom. Dermatology and plastic surgery practices may be particularly at-risk. Consider the types of potentially sensitive photographs of medical and aesthetic patients that may be on file.
The Bottom Line
Cyberattacks are on the rise, especially those targeted at health care organizations. Practices must understand and assess their risks. The services of an expert security company may be essential. Importantly, practices must understand the distinctions between data security and HIPAA privacy compliance.
Data security is a complex topic, but for the majority of health care entities, it boils down to two key issues: defense against an attack and recovery from an attack. As in so many aspects of medicine and life, prevention is preferred over recovery. The investment in hardening networks and organizations against attack is significantly less than the costs—both direct and indirect—of recovering from an attack. Now is the time to take a close look at your current security program and determine what you can do to improve it. Here’s what medical practices and health care organizations need to know about cybersecurity threats and the basics of protection.
Backups Alone Won’t Save You
Some health care organizations erroneously believe that having a backup of their data will save them in the event of an attack; if hackers encrypt their data, they’ll simply operate from the backed-up data. However, in an estimated 75 percent of incidents, hackers will locate all backups on the network, including both local backups as well as cloud backups. Once identified, these backups are erased before the network is encrypted with ransomware. This is done to help ensure that the doctor or the practice pays the ransom. With all the data encrypted and no back-up data to access, the practice or health care organization simply cannot function. There is no patient data—not even schedules or a database of names—available to facilitate operations. Hackers reason that this “scorched earth” methodology of erasing all the backups and encrypting the server data basically guarantees payment.
Paying the Ransom is Just Part of the Cost
In most cases, hackers who receive the ransom payment do, in fact, provide a “key” that allows the targeted organization to access its data once again. With access to patient data restored, the practice technically can resume operation. However, simply gaining access to the data does not permit the practice or organization to return to business as usual. Put plainly, the network has been compromised, and a comprehensive “sanitation” is required. All of the computer’s hard drives in the practice may need to be formatted. The hard drives on the servers must be formatted. All of the operating systems and software, including practice management software, EMRs, etc. may have to be re-installed. This is a significant cost in terms of time and money. Almost every health care entity will shut its doors for about two weeks as a result of a cyberattack; It takes that long to recover.
Anatomy of a Hack
These are the basic steps hackers take to execute a breach.
1. Identify vulnerabilities. Hackers use bots to scan IP addresses to identify vulnerable systems. From identified opportunities, they prioritize high-yield targets, such as health care organizations. Alternatively, social engineering is used to gain access to networks through emails or other communication. Think Phishing scams.
2. Execute the hack.Hackers infiltrate vulnerable networks and deploy a variety of hacking tools that allow them to steal usernames and passwords for users, such as employees. They explore systems to determine where patient data is stored.
3. Take the data.Hackers will steal all of the patient data, walking away with every single patient record, attachment, photograph, lab report, health history form, EMR/EHR record, etc.
4. Encrypt the data.The data on the targeted network is then encrypted so that it cannot be accessed. Essentially, the data is locked up, and the health care organization has no key.
5. Demand ransom.The targeted health care organization will receive communication, often through a dramatic message that takes over the screen, indicating that hackers have encrypted all the organization’s data and demanding a specified ransom in exchange for access to that data.
I recently worked with a physician group that made a ransom payment of $550,000. Their organization had about 100 computers that needed to be reformatted, bringing the total cost of dealing with the breach to close to $800,000 in cash outlay, not accounting for lost revenues due to closure.
HIPAA Compliance is Not Data Security
There’s a huge misunderstanding in the health care space where individuals intermix HIPAA compliance and data security. Many practices that use encrypted email and HIPAA compliance software assume they are therefore secure. This is meaningless in terms of network security. If an outside actor acquires an email password or the username and password for the practice management software or EMR/EHR, they can access the organization’s data. Hackers seek vulnerabilities on the practice’s firewall and on individual computers within the network.
You’ve Been Breached! Now What?
The best approach is to seek immediate professional guidance. However, here is a general overview of basic steps to take.
Disconnect from the internet immediately. Literally unplug the modem or the router to prevent computers connecting to the internet.
Secure backups, whether in the cloud or on an external hard drive. An external drive should be disconnected and put in a secure location.
Don’t turn computers off. Turning computers off can actually make matters worse.
Engage a cybersecurity firm that specializes in health care and understands all related compliance requirements and regulations.
Don’t let staff or doctors talk about the event outside the practice. Avoid potential violations of confidentiality, privacy.
Security means preventing anyone from breaking into the network and from stealing usernames and passwords. Cyber security experts will look for and shore up vulnerabilities on an ongoing basis. Essentially, they find the open doors and windows that could give a hacker access to your information. HIPAA compliance does not require vulnerability management and penetration testing. HIPAA doesn’t require that you implement endpoint detection and response software. Basically, HIPAA compliance requires only that you do an assessment and use best practices.
Similarly, posting notices about privacy and training staff on privacy issues has no true effect on security. Arguably, failure to secure the network leaves open access to private patient data. In a sense, then, lack of security is a HIPAA failure. But, strictly speaking, HIPAA compliance and network security are separate issues, and a practice can be broadly compliant with HIPAA without having true data security.
Protect Yourself
Find a company that specializes in health care cyber security.
Do your own due diligence. Get references from the cyber firms.
Understand your needs.
Make sure the company will meet those needs (an ongoing security program, staff support, capabilities to handle an attack).
Don’t forget about ongoing threat training!
Staff Can Be a Vulnerability
Hackers may use social engineering to gain access to your data. This may include tactics like sending an email that appears to come from a local referring physician’s office with a link or an attachment that contains malicious software that ultimately gives the sender access to your network. Third party vendors that work with medical practices and healthcare organizations may also be targeted and indirectly provide access to their clients’ data.
It is essential to educate the entire staff on network hygiene and best practices for electronic communication and to continuously encourage best practices. For example, simple tactics like checking the sender address, rather than simply the sender name, can go a long way toward minimizing risk.
You Need an Expert Data Security Company
A significant problem currently is that many doctors don’t understand the difference between an IT company and a cybersecurity company. It’s very much the same as the difference between an internist or a GP and a plastic surgeon. They are both doctors, but the GP isn’t going to do cosmetic surgery and the plastic surgeon doesn’t do an annual physical. When well-intentioned physicians or administrators ask the IT company if the organization is secure, the IT company may indicate that it is—even if that IT company does not specialize in security. Additionally, relying on the IT company that built the network to vet the security of that network can be problematic. A third party that understands how hackers breach networks can analyze the network and provide feedback to both the practice and the IT company as to how they can harden the network.
Credentialed individuals who are experts in security are equipped to identify and address vulnerabilities on an ongoing basis. Large businesses and Fortune 500 companies all have outsourced their security to dedicated cyber firms, because they know that individuals within these companies specialize in security. Remember: this is not a one-and-done proposition. Nefarious actors change their tactics, and networks and software are constantly being updated, so maintaining security requires an ongoing, dedicated program.
Security costs are simply the cost of doing business today—and much lower than the costs of attack recovery. It’s important to have a good IT company and a good cyber firm. If you’re missing that one piece of the puzzle, it’s not going to work.
A cyber firm will also teach all of the doctors and team members how to identify threats that present through the internet and email. Even with the best security in place, if someone clicks a link or opens a malicious attachment, it may override all the security that is in place, and the attack will execute.
Protect Your Assets
It is difficult to quantify the beneficial effects that the ongoing digital revolution has had on patient care. From efficient communication with patients and referring or co-managing physicians to simplified scheduling and billing, so much of the patient care experience now occurs in cyberspace. But these updates did not emerge without risks. To ensure the security of patient data, financial information, and, truly, the ability to function, practices and healthcare organizations must protect themselves against cyberattacks. It is essential to assess one’s needs and respond rapidly to harden networks and assure ongoing defense against attack.
Recommended
Andrew Mastro, MS, PA-C
Clay J. Cockerell, MD, MBA, JD
Collin M. Blattner, DO
Joel Schlessinger, MD, FAAD
