Any talk about cybersecurity in healthcare will undoubtedly cover one or more of a hacker’s favorite tactics: Ransomware, phishing, or exploiting poor device security.
While none of these threats are new, they continue to pose major risks to medical practices, partly because they are often not taken seriously enough by practice owners who think they will not become a target, according to experts.
“For hackers, money is the motivation,” says Kevin Haynes, chief privacy officer for Nemours Children’s Health System in Orlando, Fla. Hackers want patient’s health records because they can use them to order medical supplies or bill payers for services that weren’t provided.
A younger patient’s social security number might be used for years for fraudulent activity before anyone realizes it’s been compromised. “Small practices don’t have the same tools to manage risk, but they do retain personal information that can make cybercriminals money,” says Haynes.
Audrius Polikaitis, CIO of UI Health in Chicago, says that health records are one of the hottest commodities on the black market, with a single record able to fetch $200 to $300, compared to $15 to $20 for a credit card number. “For anyone who maintains health records, we all face the same risks and challenges,” says Polikaitis. “From a small practice perspective, there is no reason to think that your records are any less valuable than those from a university or larger health system.”
A practice’s vulnerability to hackers can create a risk for business disruption, a loss of reputation if a breach occurs, or even hefty HIPAA fines if health records are compromised.
“As larger organizations improve their defenses, I think there is a distinct possibility that hackers move downstream to smaller practices,” says Polikaitis. “Like a house, if someone wants to break in to your network, they’ll find a way. You just need to make your house less attractive to thieves than your neighbor’s.”
Experts say practices can reduce their risk of being hacked by taking some basic preventative measures and educating staff on the most common threats.
Ransomware receives a lot of publicity because it has crippled some high-profile health systems and government agencies in the last several years. When ransomware hits a network, all its files are encrypted and held hostage, effectively shutting down the organization until either a ransom is paid—usually in Bitcoin—to release the files, or backup files are brought online to replace the encrypted ones.
“Ransomware seems to have died down slightly, but that doesn’t mean it’s something a practice doesn’t need to be vigilant about,” says Rob Tennant, director of health information technology policy for the Medical Group Management Association. “The most important thing is to make sure you have a very good backup system. If you had to shut down your server and start from scratch, it wouldn’t be pleasant, but it wouldn’t affect patient care, and that’s critical.”
“The bottom line is that when you suffer a ransomware attack, you only have two options to get your data back—have an up-to-date backup of your affected systems or pay the ransom,” says Cesar Cerrudo, chief technology officer at IOActive, a Seattle-based cybersecurity firm.
“Unfortunately, despite the wave of ransomware attacks, many hospitals and medical practices still don’t have a good backup policy, making paying seem like the easiest and cheapest option.”
Haynes says that while ransomware is still the biggest threat, staff awareness and software that identifies and blocks attacks are starting to have a tangible effect. Polikaitis agrees, noting that while detection and technology that isolates malicious attachments are improving, having backups is still vital.
Many of the biggest cyber threats are delivered directly to a physician’s or staff member’s inbox via email. Attachments with malicious code only require the recipient to click on a link to activate software that might do anything from launching a ransomware attack to stealing financial information stored on a server.
For hackers, the biggest challenge is getting someone to click on the link, and the best way they’ve found to do that is through what’s known as phishing: pretending to be a trusted source so as to not arouse suspicion. Several years ago, the attempts were easier to identify, because the emails often had misspellings or looked unprofessional and not work related.
“Now, they are getting more sophisticated,” says Tennant. “There are no misspellings, the tone is right, and the sender’s email address looks legitimate.” Emails might also include logos or other branding information to add legitimacy.
It’s these advanced phishing attempts that worry Polikaitis the most, because the average person won’t necessarily be suspicious. “The real good emails are where someone has taken the time to look at the organization and the person,” Polikaitis says. “Relationships are their favorite angle to use. Two years ago, there was an email that made it look like a CFO was sending their direct report requests for things. Whoever sent it took the time to understand that relationship.”
Serious hackers will take the time to study staff lists on web pages and look at profiles on social media, including LinkedIn, where they can learn more about an organization’s hierarchy. With that information they can construct an email that looks like it’s from a person in charge and direct it to someone who might ordinarily receive emails from that person.
“The bad guys expect that people are busy and won’t pay too much attention, and that they have more email than time and are just ripping through them,” says Polikaitis.
“Unfortunately, smaller practices don’t have the same security tools to warn users and social engineering is becoming easier to exploit due to consumers freely sharing their personal details publicly,” says Haynes.
There are strategies practices can use to lower their risks from phishing attacks. “If you have someone on staff that is an IT expert and you’re not sure about a message, send it to them to take a look,” says Tennant. “Don’t open or click on attachments that you are not sure about. If the person included a phone number, call them and ask them to verify.” Pay attention to details like return email addresses and pause to think whether a request makes sense. “If a message doesn’t look right, assume the worst.”
Haynes says using a third-party email provider, such as Office 365 or Google, can help reduce the number of phishing emails that get through to a practice.
Connected medical devices offer yet another path of attack for hackers.
If a medical device, no matter how innocuous, is connected to the internet, it is potentially vulnerable to hackers, experts say. “Connected devices are a whole new concern,” says Polikaitis. “We all want the devices to output data so it can be collected and used for daily patient care or research, but if they are connected, the bad guys can get in and do nefarious things.” An IV pump could have its rate changed, or an image could be altered to show a tumor—or have the evidence of one removed.
“You need a list of security questions to ask your vendors,” says Tennant. He advises asking them about how the devices are protected, what are their vulnerabilities, what should be done if they are hacked, and if there are backups to any critical information. The practice also needs to consider how to provide continuity of care if a device is compromised.
Polikaitis says that vendors may claim the devices are FDA-regulated, and therefore they can’t update anything. “The vendor may try to hide behind that, but it isn’t true,” he says. For older devices with little security, vendors need to go back and look at how the devices were installed and reconfigure them to offer the most protection possible.
Education as a broad defense
Cyberthreats are varied and constantly evolving. Each time an effective defense is developed, hackers find a new way to exploit a network vulnerability. While this cycle of measures and countermeasures is being waged across the globe, doctors just want to take care of patients and not have to be cybersecurity experts on top of their other responsibilities.
Experts say that the best defense a practice can use is continual education and reminders to staff about the dangers of clicking on links in emails and how to identify ones that may be phishing schemes.
“We do mock phishing attacks three to four times a year,” says Polikaitis. “We send them out and see who clicks on them and then follow-up with education.” There are companies who can provide this service to practices who can’t do it in-house.
He says it is important not to approach the process in a punitive manner, but to keep pushing the educational aspect, even if the results are disappointing at times. For example, Polikaitis sent a fake phishing email with a link to 6,000 health system employees asking for usernames and passwords. About 600 clicked on the link and 150 provided their username and password.
“Despite all our educational push, we still got a fraction that gave up their credentials,” he says. “I’m still amazed people fall for that, but continual education is important.” If the same people continue to click on dangerous links despite being warned not to, then the physician or practice administrator will have to assess whether that person is worth the risk they are introducing to the practice.
“It’s the human being that’s indispensable, but also introduces the greatest risks to the organization through what they do,” Polikaitis says.
Training and reminders should occur throughout the year. “A lot of practices look at training as something they do in January, then that’s it,” says Tennant. “People are on their own for the rest of the year. It needs to be a continual outreach to the staff.” All regular communications to employees, such as a newsletter or weekly meeting, should include cyber hygiene tips to remind everyone of the risks. “It also emphasizes the importance of the issue to the organization,” he adds.
Haynes says education is the easiest low- or no-cost way to stop hackers. “Spend more time on keeping the medical practice staff aware of threats and vulnerabilities on the systems they use every day—the internet, email, and phones.”
As technology continues to change healthcare, the cyber risks will always be there. “It’s part of the cost of living in a connected society,” says Polikaitis. “There are a lot of benefits to sharing data between institutions, but there is a cost to it and new risks are introduced with sharing of that data.”