It’s an ordinary work day, and you’re walking into your practice ready to review the day’s schedule and start seeing patients.
But something is different: Your front desk staff and your CA are huddled in front of a computer, talking quietly, tense and nervous. As you enter, they look at you with ashen faces. Your practice has been hacked.
How likely is this to happen? Consider that major data breaches, of the sort you hear about in the news, are sharply on the rise as criminals obtain ever-more-powerful tools. You may remember the Equifax data theft of millions of consumer credit files in 2017. And compared to the 1,090 major breaches in 2016, this year’s estimated number will be about 1,500—an increase of nearly 50 percent.1
An online data security analysis firm polled a cross section of major industries to see how well workers understand threats and good data-keeping procedures. The health care industry ranked high in some areas, with 85 to 90 percent of health care professionals showing awareness of how to avoid ransomware attacks, build safe passwords and guard against scams.2
On the other hand, some 30 percent of responders showed a poor grasp of how to protect and dispose of data securely and more than 25 percent struggled with protecting confidential information.2
What can you do to protect yourself, your practice, and your patients from the loss of records and ID theft? The bad news is that perfect security is virtually impossible to achieve. After all, the National Security Agency, the top federal intelligence organization, was itself the victim of data theft. The good news is that you can make things extremely difficult for cybercriminals, and if they find that your practice is a hardened target, they might well decide to move on to easier pickings.
The nature of the threat
In the public imagination, shadowy members of cybergangs prowl the internet, selecting targets and using sophisticated tools to bypass passwords and login credentials to gain entry to computer networks. In some cases, that’s exactly what happens. But more commonly, the attacks are fairly simple and easy to spot.
Phishing is the sending of email that urges the recipient to visit a website, send information, or do something else that compromises their security. You’ve undoubtedly received dozens of these if not more. They’re usually easy to spot because they contain typos and unprofessional language. That’s changing, however, as criminals grow savvier.
Spear phishing is a pernicious type of attack where the criminal impersonates you or another trusted figure, “spoofing” their email address so it looks legitimate. Inform all staff members that just because an email looks OK, they should always verify its authenticity if it is a request for records, access to your network, or anything out of the ordinary. An antivirus software maker calls this the most common type of cyberattack they see.3
Ransomware is a rapidly growing threat. An infected computer will encrypt all the data it contains and the criminals will demand payment to unscramble your files. One hospital in the Los Angeles area was famously attacked this way and the staff paid more than $17,000 to recover their data. These criminals usually unlock your files after being paid—but sometimes they don’t.
Frequently backing up your data is the best defense against ransomware, in addition to your practice maintaining a culture of security. A phishing attack is often the prelude to this kind of theft.
Social engineering is a highly effective technique in which the criminals use human psychology to gain access to your records. They might call your scheduler and pretend to be from your IT vendor, asking for a password, or they might dress as a FedEx driver or building maintenance worker.
There are additional types of attacks, but these are the ones that tend to be relatively easy to carry out and they have a high rate of success.
Expensive lessons
Ty Talcott, DC, teaches HIPAA compliance and he points out that a HIPAA security program is a good start, but it’s not enough. A cybersecurity program will perforce be constantly evolving in the face of changing threats. “They must issue periodic security reminders to their workforce that include current cybersecurity threats. We got some clarification at a Washington cybersecurity conference that they thought about once a month was adequate.”
Another point Talcott mentions is that a cyberattack may be viewed as a HIPAA violation and lead to fines. What’s more, you could have to pay for monitoring the credit of all patients who were exposed, for a period of one year at about $10 per month per patient. “If you have 5,000 patients breached, that is $50,000 a month for monitoring their credit,” he says.
Another expert, Mike Norworth, who develops EHR software, observes that small medical practices are less of a target than large hospital systems with millions of records in the cloud. But “less” doesn’t mean off the radar. “Typically, a staff member clicks on something that introduces malware to their system. And the best defense for most such attacks is good anti-virus software, proper backups, and hyper-awareness of the possibilities.”
One information systems specialist, Brad Cost, cites surveys showing that more than 80 percent of physicians have experienced a cyberattack of some type.4 “My experience when talking to providers at conferences is that they are unprepared for this issue. They have not implemented protection and, if they do have a layer of limited protection, they are not good at keeping it updated.” This is why, in his view, smaller offices can be at greater risk than large clinics that have greater technical resources. Sukhi Singh, an EHR expert and developer, agrees, saying, “A significant percentage of large practices have in-house cybersecurity experts and they deploy sophisticated tools to detect and prevent such attacks. Smaller practices therefore are much more vulnerable.”
Then there’s the indirect cost of a cyberattack—downtime while you recover. How much downtime you experience will depend on the nature of the attack and how well you prepared for it.
“If you look at recent AMA surveys,” Cost says, “64 percent of all physicians who suffered a cyberattack experienced up to four hours of downtime before they resumed operations, and 29 percent of physicians in medium-sized practices that suffered a cyberattack said they experienced nearly a full day of downtime.” In one case he saw involving a client who got hit with ransomware, the practice was down for almost a week.
In Talcott’s experience, recovery can take time and be implemented in stages. One chiropractor he knows who fell victim to ransomware was able to get their scheduling software running before the billing software, and the forensic investigation took the better part of a year to assess liability.
What they want
You might be wondering about these people who are trying to get into practice records, and why they want them. “A percentage of hackers are just malicious individuals, some are in espionage and trying to gain trade secrets, etc., but the vast majority are old-fashioned crooks trying to either collect ransom for your data or capture your data and sell it on the black market,” Talcott says.
Estimates vary, but security experts agree that a pirated medical record is worth much more than a credit card. The Identify Theft Resource Center cites a study that discovered a block of 10 full medical records could be purchased for about $4,700, whereas a stolen credit card is only worth about $8 to $15.5
A complete medical record contains a patient’s name, address, insurance ID number, Social Security number, prescription medications and more. It’s the perfect tool for a devastating identity theft, and the victim will have considerable trouble dealing with the aftermath.
“Protected health information is rich with the types of data criminals can use for such crimes, over and over again. Your credit card number may change, but your Social Security number is a different story,” Norworth says. And Singh adds that protected health information (PHI) “can be used later on for health care fraud or for hacking into medical devices.”
Up in the cloud
Much of today’s practice management, billing, and EHR systems store their records in the cloud, meaning remotely on the internet. If your software vendor is hosting your data, how can you be sure it’s safe and HIPAA compliant?
Norworth says that with respect to EHR, having a system that is certified for Meaningful Use means that the software has been evaluated by the government for security and maintenance of data privacy. And Tycott stresses the importance of having a business associate agreement (BAA) with any entity that has access to your patients’ PHI. In fact, the HIPAA Omnibus Rule of 2013 mandates that you keep copies of all your BAAs on file. In the event of a data breach, these clarify who is responsible for safeguarding your data at various locations.
But don’t think because your data is in cloud storage that you’re off the hook. As Cost points out, hackers are looking for front door access. “They are finding passwords and access into the clouds because users fail to have good password structures. Many passwords are based on personal information that can be mined from social media. Once a hacker has a valid user ID and password, they become a valid user to the system.”
Passwords will still be with us for the foreseeable future, so regularly train staff to use hardened passwords that cannot be guessed or gleaned from personal information. You can check passwords for strength at sites like howsecureismypassword.net.
Your security plan
If you’re starting to feel a bit paranoid, good—you should be. Your data is valuable and even a small attack can cost you time and money, in addition to damaging your reputation. Cost recommends auditing your practice by asking some basic questions:
- Are you making daily backups of your systems and records?
- Do you and your employees know what phishing is? (It is the No. 1 way that hackers get into a system.)
- Are your passwords strong and secure?
- Is your technology current?
- Is your anti-virus and anti-malware software updated continuously?
- Are all of your devices (and your employees’ devices) encrypted?
- If you use cloud storage or technology, do you have a certificate of HIPAA compliance?
- Do you have a BAA with every company that has access to your data?
- Is the Wi-Fi in your office secure and encrypted?
- Does your practice maintain a culture that promotes the privacy and security of work and patient data?
Regarding the point above about your Wi-Fi needing encryption (WPA2 is the recommended standard), Norworth notes government warnings that any devices like routers, servers, and networked printers or copiers that connect to your system are potentially vulnerable.6 Keep them secure and updated.
Singh recommends disabling your router’s admin wireless login setting. That way, only someone who is physically connected to your router via an Ethernet cable can access the admin features of your wireless router. “And ensure the physical router is kept in a secure area,” he adds.
Talcott says that HIPAA requires all covered entities to conduct a periodic information system activity review (ISAR). “In fact the federal government says that if you do not have a risk analysis with current ISARs you have no HIPAA program at all.” Briefly, you want to look over the activity logs of any software program that you and your staff have to log into.
While there’s no specified frequency, at least a quarterly review is recommended. If your EHR system is being accessed by unauthorized persons, or there are a large number of failed login attempts, the ISAR will alert you to the problem. Document and date your review and keep it on file for six years.
Singh advises DCs to attend online seminars and workshops on data security best practices to stay up to date on the latest threats and countermeasures. “A chain is only as strong as its weakest link. That means that if a DC and most of their staff are following all the cybersecurity protocols, but there is that one staff member who is lax, that is all that is needed to make your practice vulnerable to cybercriminals,” he says.
Worst-case scenario
In the opinion of most experts, including the panel for this article, at the moment your biggest risk is a ransomware attack. These are fast, and can be profitable for the criminals. Symantec recorded an average of 1,242 ransomware detections every day in 2017. As mentioned, there’s no guarantee the attackers will return your data if you pay them.
Some companies specialize in helping people recover their encrypted data, but they admit not all cases can be resolved. If they succeed, a typical fee is $300 to $500 per 2 terabytes of storage. If they fail, they’ll offer to pay the ransom on your behalf (typically now about $300). Add in their fees and what is likely to be a HIPAA investigation, and it can get expensive quickly.
Norworth says some of his clients who were infected with ransomware were back up and running quickly. “Each and every one recovered in hours or days by wiping the hard drive(s), re-installing the OS and restoring their backups.” Cost says your backups must be kept offline, separate from your network, because this type of malware can rapidly spread through your system and affect every connected workstation: “Systems can be fairly easily restored if there is a complete backup (separate from the infected system) to restore from.”
While ransomware tends to produce the most severe damage, social engineering and phishing are the most common and successful attacks. Accordingly, your best defense against them is education. Conduct regular, scheduled training for your staff about these dangers, and stay updated because thieves routinely change their tactics. Here, too, having backups of your data and systems is vital because if you are compromised, the only way to be sure the attack is over is to restore to a clean state.
Finally, hardening your Wi-Fi network removes a point of vulnerability. Talcott recommends not letting employees bring their own devices to work or, if they do, don’t let them connect to your practice’s Wi-Fi. If you want patients to have internet access, set up a separate guest Wi-Fi network that cannot connect physically to your systems. Most routers allow guest access like this.
Cost has found that monthly testing has stopped his employees from opening unknown links in email. “It conditions them to think first and not become a quick clicker,” he says. All of our experts agree that the HIPAA security rule only establishes a framework. A culture of following those rules assiduously has to be created by you.
Daniel Sosnoski is the editor-in-chief of Chiropractic Economics. He can be reached at 904-567-1539, dsosnoski@chiroeco.com, or through ChiroEco.com.
References
1 Steele J. “Credit card fraud and ID theft statistics.” CreditCards.com. https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-1276.php. Updated Oct. 2017. Accessed June 2018.
2 Beyond the Phish: 2018 Report. Wombat Security. https://www.wombatsecurity.com. Published April 2018. Accessed June 2018.
3 2018 Internet Security Threat Report: Vol. 23. Symantec. https://www.symantec.com/security-center/threat-report. Published March 2018. Accessed June 2018.
4 Leventhal R. “83% of Physicians Have Experienced a Cyber Attack, Survey Finds.” Healthcare Informatics. https://www. healthcare-informatics.com/news-item/ cybersecurity/83-physicians-have-experienced-cyber-attack-survey-finds. Published Dec. 2017. Accessed June 2018.
5 “How much is your identity worth … on the black market?” Identity Theft Resource Center. https://www.idtheftcenter.org/how-much-isyour-identity-worth-on-the-black-market. Published Jan. 2012. Accessed June 2018.
6 The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations. US-CERT. https://www.us-cert. gov/ncas/alerts/TA16-250A. Updated Sept. 2016. Accessed June 2018.