The growing cyber threat to physician practices

©Maksim Kabakou/Shutterstock.com

Right now, medical practices are being attacked by cybercriminals. Emails are being sent in the hope a practice employee will click on a link that will install ransomware, hackers are exploiting security flaws in medical equipment with internet connections, and information is being gathered from social media to trick staffers into revealing patient or financial records.

The sophistication and volume of attacks is increasing, according to cybersecurity experts, and practices have to be more vigilant than ever to protect themselves, even if at times it seems fruitless. “A doctor running a small practice might say, ‘If Blue Cross of Tennessee can’t protect itself, how can I?’” says Rob Tennant, director, health information technology policy for the Medical Group Management Association. “But you can’t just throw your arms up and say there’s nothing that can be done. If at the minimum you take some low-impact security steps, that should be sufficient, but always have a contingency plan so that if you run into a hack, a fire, or flood, you have a way out that ensures your practice continues.”

Cybercriminals have many resources and are highly knowledgeable about how technology works and its vulnerabilities, experts say. But they also tend to take the path of least resistance, meaning the harder they have to work to hack a practice, the more likely they are to move on to an easier target. As the bad guys refine their tactics, practices must continue to be vigilant, especially against the most common threats. 

“Malware is still big and they are learning to be more effective with the messaging they use to get people to click on ransomware links,” says Kevin Johnson, CEO of Secure Ideas, a Jacksonville, Fla.-based security consulting firm. “The threats compared to last year are very much the same, but that’s good, because organizations that took the time to enhance their security are still running down the right path. However, people that said they weren’t worried about it are just as far behind as they were last year.”

Every practice is a target

One of the biggest mistakes a practice can make is to assume it won’t be a target because it is too small or has nothing of value. “Hackers are not going after you specifically, they are going after everybody,” says Johnson. “They target large numbers of victims, because it doesn’t take much more effort to send out millions of attacks versus a hundred, because it is all automated.”

The idea that a hacker is someone living in their mom’s basement is almost always wrong. In fact, most cyberattacks are coming from complex organizations.

“A lot of these groups would be considered mid-sized businesses,” says Elliott Frantz, CEO of Virtue Security, a New York City-based firm that identifies vulnerabilities in applications and networks. “They have full-time staff, their own R&D teams, and in some ways are on par with many tech companies.”

Broad attacks are the most common, but practices can still be singled out by hackers. Elliott says that there are huge markets for stolen information, including specific markets with established prices for healthcare records. Because cybercriminals know the potential return, they can calculate whether targeting a specific practice is a good investment, either through the number of health records they might obtain or through ransomware.

“They may see a smaller organization as a more tempting target,” says Bruce Snell, director, emerging threats and disruptive technologies, for Tokyo-based NTT Security. “The thought process is that a smaller practice may not have good backups or a security plan or tools in place, so it might be worth their time to spend eight hours putting together a phishing attack that might get them $15,000-$30,000 out of them through ransomware.” 

Threat types

Practices need to defend against several threat types as part of a comprehensive cybersecurity plan, but ransomware is still the leading one. “Ransomware in particular works from a cybercrime perspective because its straightforward and uses malware to infect the system,” says Snell, who adds that medical organizations are particularly vulnerable because of their immediate need for access to patient information. 

Because some healthcare organizations pay the ransoms, it leads to more ransomware attacks across the industry, because cybercriminals see they can profit from it. But paying a ransom doesn’t always work, says Snell. The ransomware code is sometimes poorly written, so even when the victim pays the ransom, they still are not able to recover their data using the key. 

Phishing attacks, where a cybercriminal uses an email pretending to come from someone the recipient knows, are also common, says Elliott. The sophistication of attacks has evolved well beyond the old ruse of the Nigerian prince who requires a little money upfront to secure a much bigger payout later. 

“Attackers are realizing they need to put in more effort to create a realistic scenario,” he says. “It’s much more common now for malicious emails to look legit and be relevant to the victim.” Emails targeting medical practices are now more likely to contain names of doctors or accounts payable staffers, with requests for modest money transfers or patient records.

When cybercriminals want to attack a specific organization, they’ll do the research required to get as many details as possible. “They are looking up identities on social media like LinkedIn and Facebook,” says Elliott. “They are using these sources to target people not traditionally targeted five or 10 years ago.” 

A rising threat to practice cybersecurity is through devices connected to the internet, collectively known as the “internet of things” (IoT). This can include everything from medical equipment to thermostats. As medical technology advanced, many of these devices began collecting and storing patient data like a computer, but without the same level of built-in security, says David Finn, MA, executive vice president, strategic innovation for  CynergisTek, an Austin, Texas-based cybersecurity consulting firm. These devices are often connected to a practice’s network and offer a gateway for hackers to get in.

While computers might get changed out every three to four years, medical
devices are typically kept for a decade or longer, meaning many older devices weren’t designed with security features to deal with today’s hacking threats, says Finn.

“There are literally millions of devices deployed across the country in hospitals and practices, and nothing can be done in terms of protecting the device,” he adds.

More troubling is that some hackers have attacked devices not to steal or ransom data,  but simply to be malicious and shut them down-including one example from Russia last year where hackers shut down all of the operating-room equipment during a 13-year-old’s brain surgery.

 “In some cases, it’s just evil people testing their product in a real market,” says Finn. “The new threat is really for lack of a better term from ‘hacktivists.’ They like to read in the paper how they shut down a hospital or disrupted a surgery, similar to how an arsonist likes to see the response to their crimes.”

Playing defense

With the rising number of threats and the growing sophistication of attackers, trying to defend a practice may seem impossible. However, experts agree that a careful review of cyber vulnerabilities can greatly reduce the odds of a breach.

“Before ever looking for a specific technology or solution, I think generally speaking, small practices should understand what their exposure is and where the risk really lies,” says Elliott. Too often, people look for one “silver bullet” product that will protect their data. Elliott adds that the most important thing is to understand what the potential problems are before trying to solve them. 

For example, a practice sending lots of emails or receiving files from outside sources needs to invest in making sure those systems are secure and that it is taking extra precautions when accepting files or getting requests for information, such as some sort of secure email delivery service, says Elliott.

Basic security hygiene is also important. “Make sure your passwords are different for your work email and personal email,” says Elliott. “Make sure your desktops and laptops are secured at the system level, and ensure you have anti-virus or endpoint detection of threats.”

Snell says that every log-in for every computer and device should have a different password and should not be common words. If it’s too complicated to manage, he suggests using a password tool such as LastPass or 1Password.

Johnson recommends working with the practice’s IT expert or vendor to reduce the number of ways an attacker can potentially gain access to the network or its data. “Too many organizations buy computers that are way more powerful than they need that run lots of applications,” says Johnson. “Evaluate using something like a Chromebook.”

Because of the device’s simplicity, there are fewer ways for hackers to exploit them. He compares using Chromebooks, which are stripped down computers, to removing half the windows and the back door to the garage on a house-fewer points for an intruder to get in.

Similarly, using as many cloud-based services as possible can help a small practice with security because the application provider-with its superior resources-will be responsible for securing its platform, says Snell. 

An often overlooked security measure is training staff members to recognize potential risky links and to not click on them. “Users have to understand they are the first line of defense,” says Johnson. “They have to think through what they are doing and ask themselves if it makes any sense.”

Snell says education can be one of the most effective defensive tactics a practice can use. “Make sure everyone in the organization is part of the overall security program,” he says. “Make sure everyone is aware of the risks they may see on a daily basis.”

For example, Johnson says, an office manager received what looked like a request from a supervisor for all the employee W-2 forms. The office manager was a little suspicious and so encrypted the data and sent it with a message that the encryption key was texted to his phone.

The attacker, still posing as the supervisor, emailed back that he lost his phone and requested the key by email-and the office manager complied, thus giving the attacker the data and the key because of a compromised email account.

“People think computers are different,” says Johnson. “If you got a letter in the mail asking for everyone’s sensitive data, would you comply? They need to think about what they are doing.”

When purchasing new medical devices with internet connections, always ask about the security standards on the device, says Finn. “Ask if it can be upgraded if a vulnerability is found and if it can run some sort of anti-virus program on its system,” he says. 

One other caution with connected medical devices is to know whether they store patient data, and if so, to make sure the data is purged on a regular basis, says Finn. “When you scan a document, some of what you are putting in is stored and retained by the device and most people don’t even think about that,” he says. 

If cost is an issue to securing a practice’s data, Tennant says to look at free resources first, then bringing in outside help to deal with the unresolved vulnerabilities. He recommends starting with the Office of the National Coordinator for Health IT website (www.healthit.gov), which has guidance on how to do a security analysis and other tools. Another option is to team up with other practices and share the cost of a security consultant.

Attacks, with the exception of ransomware, are rarely obvious. Experts say a practice most likely wouldn’t even know if it’s systems are compromised, because there are few tell-tale signs from today’s hackers. Only a security expert examining a practice’s systems will be able to tell if a breach has occurred, and if it has, can take steps to remove the intruder. The best approach is to be proactive and assume an attack is coming, if it hasn’t already happened. 

“Security 101 is making sure you have all your data backed up,” says Snell. “Cloud-based backup is inexpensive, and it will give you secure and remote backups so you can recover quickly.”

Tennant says not investing in a backup system to protect the integrity of patient data is irresponsible, and puts the viability of the practice at risk. “It is not a question of if a practice will be attacked, it’s a matter of when,” he says. “You have to assume you are going to be hit with something eventually. If it happens, what is your solution to that?”

Cybersecurity terms to know

Malware: Malicious software designed to disrupt computer ­operations or steal information.

Ransomware: A type of malware that locks users out of their data and encrypts it until a ransom is paid.

Virus: A type of malware that can corrupt or erase information on a computer before spreading to other computers.

Worm: Malware than can replicate itself to spread to other ­computers.

Phishing/spear phishing: A scheme using an email to trick someone into divulging personal information or passwords. A spear phishing attack uses more detailed personal information to make an email appear to be coming from a known employee, business associate or family member.