MGMA 2019: Ransomware, phishing scams a growing threat in healthcare

Healthcare attorney Isabelle Bibet-Kalinyak, partner at McDonald Hopkins LLC, in Cleveland, Ohio, raised the alarm on cyber security for physician practices at the MGMA 2019 conference in New Orleans.

During her presentation on medical records and HIPAA, Bibet-Kalinyak said that 76 percent of types of medical records breaches are due to hacking and IT incidents.

The second most common type of breach is theft at 15 percent, loss at 10 percent, and unauthorized use at four percent.

Some of the most common forms these breaches take are due to ransomware and phishing of cloud computing service providers, Bibet-Kalinyak says. There has been an increase in these malicious cyber breaches rather than coincidental or accidental breaches.

Ransomware is when a bad actor gains access to your computer system and holds your files hostage until you pay a specific sum of money, usually through untraceable means such as gift cards or cryptocurrency. Phishing refers to the act of using fraudulent emails-which often mimic an email from a colleague or someone the victim knows-to attempt to gain access to a computer system by the victim simply giving their login and password away.

In the past, larger health systems have been the most popular targets of these kinds of scams, but Bibet-Kalinyak warns that the smaller practices aren’t safe.

“They’re targeting smaller practices,” she says. “The first attacks are against hospitals [and hackers] said, ‘we want $5 million or you can’t touch your chart. It’s a prisoner.’ Now they’re going after small practices and they say, ‘$10,000 [to] $50,000 and we’ll release your records.’

Bibet-Kalinyak says the FBI and authorities can’t keep pace with these hacks, leaving most hospitals or practices forced to pay the ransom-unless they have a good backup system.

Besides having data backed up securely, the best way to address the threat of ransomware is through cyber liability insurance.

“If you already have it, increase the amount,” she said drawing laughs from the crowd. “This is exponential.”

The HHS Office for Civil Rights suggests a robust security incident procedure to respond to these attacks, according to Bibet-Kalinyak’s presentation.

These include:

• Detect and conduct initial analysis

• Contain impact and propagation

• Eradicate the instances of ransomware and mitigate or remediate vulnerabilities that permitted the ransomware attack and propagation

• Recover from attack by restoring data lost and returning to “business as usual” operations

• Conduct post-incident activities including: breach notification under HIPAA and incorporating lessons learned to avoid future attacks