Right now, medical practices are being attacked by cybercriminals. Emails are being sent in the hope a practice employee will click on a link that will install ransomware, hackers are exploiting security flaws in medical equipment with internet connections, and information is being gathered from social media to trick staffers into revealing patient or financial records.
The sophistication and volume of attacks is increasing, according to cybersecurity experts, and practices have to be more vigilant than ever to protect themselves, even if at times it seems fruitless. “A doctor running a small practice might say, ‘If Blue Cross of Tennessee can’t protect itself, how can I?’” says Rob Tennant, director, health information technology policy for the Medical Group Management Association. “But you can’t just throw your arms up and say there’s nothing that can be done. If at the minimum you take some low-impact security steps, that should be sufficient, but always have a contingency plan so that if you run into a hack, a fire, or flood, you have a way out that ensures your practice continues.”
Cybercriminals have many resources and are highly knowledgeable about how technology works and its vulnerabilities, experts say. But they also tend to take the path of least resistance, meaning the harder they have to work to hack a practice, the more likely they are to move on to an easier target. As the bad guys refine their tactics, practices must continue to be vigilant, especially against the most common threats.
“Malware is still big and they are learning to be more effective with the messaging they use to get people to click on ransomware links,” says Kevin Johnson, CEO of Secure Ideas, a Jacksonville, Fla.-based security consulting firm. “The threats compared to last year are very much the same, but that’s good, because organizations that took the time to enhance their security are still running down the right path. However, people that said they weren’t worried about it are just as far behind as they were last year.”
Every practice is a target
One of the biggest mistakes a practice can make is to assume it won’t be a target because it is too small or has nothing of value. “Hackers are not going after you specifically, they are going after everybody,” says Johnson. “They target large numbers of victims, because it doesn’t take much more effort to send out millions of attacks versus a hundred, because it is all automated.”
The idea that a hacker is someone living in their mom’s basement is almost always wrong. In fact, most cyberattacks are coming from complex organizations.
“A lot of these groups would be considered mid-sized businesses,” says Elliott Frantz, CEO of Virtue Security, a New York City-based firm that identifies vulnerabilities in applications and networks. “They have full-time staff, their own R&D teams, and in some ways are on par with many tech companies.”
Broad attacks are the most common, but practices can still be singled out by hackers. Elliott says that there are huge markets for stolen information, including specific markets with established prices for healthcare records. Because cybercriminals know the potential return, they can calculate whether targeting a specific practice is a good investment, either through the number of health records they might obtain or through ransomware.
“They may see a smaller organization as a more tempting target,” says Bruce Snell, director, emerging threats and disruptive technologies, for Tokyo-based NTT Security. “The thought process is that a smaller practice may not have good backups or a security plan or tools in place, so it might be worth their time to spend eight hours putting together a phishing attack that might get them $15,000-$30,000 out of them through ransomware.”
Practices need to defend against several threat types as part of a comprehensive cybersecurity plan, but ransomware is still the leading one. “Ransomware in particular works from a cybercrime perspective because its straightforward and uses malware to infect the system,” says Snell, who adds that medical organizations are particularly vulnerable because of their immediate need for access to patient information.