It’s been a long day. You managed to squeeze in three extra patients—and the only thing between you and the door is a few chart updates. Just as you finish, you are alerted to a new email from what looks like a well-known insurance company, complete with a recognizable logo. You recall your office manager mentioning that this company had recently declined several reimbursement claims. The email refers to you and your office manager by name—and informs you that you can clear up your reimbursement issues if you just click a link and provide some extra information. What do you do?
Many healthcare professionals would click without a second thought—and, in doing so, they might very well be inviting a hacker into their networks via a sophisticated electronic communications scam called spearphishing. These personalized attacks are on the rise in healthcare and can have serious consequences for organizations of all shapes and sizes.
“In today’s day and age, hackers are going after people instead of the technology directly,” says Anahi Santiago, CISM, chief information security officer at Christiana Care Health System in Wilmington, Del. “And the breaches that happen as the result of these attacks not only give hackers access to protected patient data but also the ability to disable networks which, essentially, can disable providers and organizations from being able to effectively care for their patients.”
A targeted attack
As noted in Verizon’s 2018 Breach Investigations Report, phishing, a form of cybercrime that uses emails purportedly from a known organization to persuade individuals to provide sensitive data, including passwords or financial information, is linked to more than 90 percent of data breaches—making it the most common attack method for hackers. Parham Eftekhari, executive director of the Institute for Critical Infrastructure Technology, a cybersecurity think tank, says that spearphishing is a more sophisticated form of phishing, targeting a specific organization or individual.
“With phishing, the hacker doesn’t necessarily care who clicks, he or she is casting a wide net in hopes of getting someone to do so,” he says. “But spearphishing uses a tailored lure—a spear, so to speak—to make the email with those links more appealing to a specific victim.”
In a recent American Medical Association (AMA) survey, 4 out of 5 survey respondents said they had been the target of a cyberattack, with more than half of those stating the attack was the result of a phishing lure. Eftekhari says that is not a surprise—and that providers often are an easy mark for hackers because the healthcare environment is so fast-paced.
“Physicians are busy and their focus is on helping patients. There’s more and more technology in practices, and that technology can often be frustrating for them,” he says. “So if they do get an email, and it looks somewhat legit, it’s not surprising they might click and download and execute a malicious payload.”
Few medical schools discuss the ins and outs of cybersecurity, even though medical practice has become more technology-intensive—and hacks can affect both patient safety and patient satisfaction. James Kaplan, MBA, a partner specializing in information technology (IT) infrastructure and cybersecurity for the management consulting firm McKinsey & Company, says that providers should be concerned about the consequences. Those consequences may include the theft of protected health data—and the consequent fines from the U.S. Department of Health and Human Services’ Office for Civil Rights—as well as the loss of the practice’s financial data.
But more concerning is the possibility of being locked out of EHRs or medical devices and IT systems that play a critical role in providing patient care. The AMA survey reported that the majority of physicians who had been hacked suffered up to four hours of downtime, with many reporting they were unable to provide care for an entire day.
Protect your organization, protect your patients
Leslie Saxon, MD, a cardiologist and executive director at the University of Southern California Center for Body Computing, says that protecting an organization from spearphishing and other cyberattacks starts with education about “cyber hygiene,” or common practices individuals and organizations can undertake to help improve network security.
“It’s hard to create awareness, especially since cybersecurity really is a shared responsibility between providers, clinical and office staff, and even patients,” she says. “That’s why the right education is so important. It’s like handwashing or any other hygienic practice. You have to teach the basics throughout the system in order to be successful.”
The AMA has published specific cybersecurity guidelines for physicians on its website to promote proper cyber hygiene. It also recommends that physicians familiarize themselves with cybersecurity recommendations offered by the Department of Homeland Security. Eftekhari says that provider practices can also benefit from contacting IT organizations that likely have local chapters in their area, like the Healthcare Information and Management Systems Society (HIMSS) or the International Information System Security Certification Consortium (ISC2).
“Cybersecurity can be a challenge for smaller organizations—but that’s no excuse not to practice good cyber hygiene,” he says. He explains that organizations like HIMSS or ISC2 have education materials available that can help educate physicians and their staff, and often hold meetings or seminars to help raise awareness of different cyber threats and how to best deal with them. He says they may also be able to connect your practice with a local expert who can train your staff about appropriate cyber hygiene for a fee.
But Santiago says that practices can adopt cyber hygiene basics before any formal training. She says that provider practices should make sure to keep all network systems patched and updated to help protect them from any potential attacks. Some systems can be set to do so automatically. And she says that maintaining good password hygiene is also critical to success.
“With so many technologies in use, I understand why people want to use one password for a bunch of different systems or keep passwords written on a post-it note somewhere,” she says. “But don’t do it.”
Cybersecurity experts recommend that passwords be difficult to guess—no children’s names or birthdays—and at least eight characters long. Santiago recommends using passphrases so they are easy for physicians to remember but difficult for hackers to crack.
“For an electronic health record system, your password could be a phrase like ‘I love to care for patients,’” she says.
But most importantly, Santiago recommends that physicians and clinical staff always slow down and think before they click. “All it takes is one person to click on the wrong link to result in a breach,” she says.
Kaplan says there are several indicators that an email or social media message may be a spearphishing attack in disguise. He says that emails telling recipients they need to click immediately, or have return email addresses or web links with O’s replaced with zeros or L’s with ones mean that recipients are likely clicking at their peril. If it is unclear whether the message is legitimate, Santiago recommends logging in to the company’s website or to pick up the phone instead of clicking.
She adds that physicians also need to understand that cybersecurity attacks don’t happen just on laptop and desktop computers. Personal and professional mobile devices can also put their networks—and their patients—at risk.
“Mobile devices are no different than computers. They can be hacked and they can have viruses—many people don’t realize that,” she says. Today, she says, mobile devices often hold more information than desktop computers—and that requires physicians and clinical staff to be vigilant about how they use their tablets and phones. The same guidelines regarding passwords and links apply.
“You really need to guard your phone,” she says. “I like to say ‘treat your phone the same way that you would treat your wallet.’”
What about outsourcing cybersecurity efforts to protect from spearphishing attacks? While many vendors offer cybersecurity solutions, Kaplan says there is often a “security poverty line,” with smaller organizations lacking the resources to hire dedicated information security staff or procure good IT software to support cybersecurity efforts. But with that said, he says that organizations can get some degree of security investment by utilizing cloud-based services.
“When you procure cloud-based services, even if it’s just for your email and calendar, you are also investing in the security infrastructure of the vendor you choose,” he says. “While it doesn’t absolve your organization of responsibility, it does make being more secure less resource intensive.”
There is no one-size-fits-all approach to cybersecurity, but experts agree that good cybersecurity is a community effort. Providers need to make a point of educating and training staff about proper cyber hygiene practices. And as more individuals use their personal devices to interact with EHRs or provide medical information, share those practices with patients, too.
“This is about changing the culture in your practice to promote cyber hygiene and integrate cybersecurity as part of your values,” says Eftekhari. “This goes beyond talking the talk—physicians need to walk the walk to protect their networks and, ultimately, their patients from spearphishing attacks.”