Kevin Johnson, a professional "ethical" hacker and CEO of Secure Ideas, sits down with Medical Economics to discuss what physicians and healthcare organizations can do better to defend against cyber threats.
Each year, millions of medical records are stolen by hackers. Will your hospital or practice be the next victim?
The scary truth is that hackers are targeting your practice and they're often a step ahead of you. They use sophisticated methods to steal medical records, which are extremely valuable on the black market and every organization is at risk from the largest hospital to the smallest solo practice. The key to defending yourself is to understand the latest threats.
Our own Silas Inman sat down with cyber security expert, Kevin Johnson, to discuss how hackers are targeting your practice and what you can do to stop them.
Medical Economics: Welcome. It's great to have you today. Thank you very much. So, first, let's just put this whole thing into perspective. So, can you describe what are some of the threats that are out there for a practicing physician?
Kevin Johnson: You know, it's actually pretty sad that the threats facing practicing physicians are the same threats facing so many other people and yet, there's this lack of knowledge or awareness about it. The biggest threat they're facing is actually just email based, right? We refer to it as social engineering, right? It's an attack where they send an email in pretending to be something to get the doctor, the physician to do something, right. And I'm being vague because it could be whatever they want it. In some cases, it's: Send me records. In other cases, it's transfer money from this account over to this other account or what have you. That I think is the biggest threat that most physicians are facing is that type of attack. Beyond that, it's malware, ransomware malware, you click a link, or you download something you think it's going to help you with your job or whatever. And instead it compromises your system and hands control of it back to an attacker.
Medical Economics: So, in your experience, have you found that a lot of medical practices might be behind some other institutions?
Johnson: I would say that the medical practices are probably in the worst shape than any of the other industries I work in. We work with lots of different verticals. And when we work with doctors and hospitals and what have you, there in Most cases, their security is so far behind everybody else is that it's sad. It makes sense, though, right? Because their primary job is not using that computer. In most practices, the computer systems, the even with electronic health records and what have you. It's an accessory. I think it's the right way to put it. Right? That that that laptop or that computer in the in the treatment room isn't required for the treatment. It's required to help with everything else afterwards. And so, it's just not thought of as important to fix.
Medical Economics: What is the value of a medical record?
Johnson: What makes medical records even more valuable, though, is that there isn't any way to track them. So, I'm sure you've run your credit report. Right? There's advertising on TV, there's mobile apps that you can pull down that will tell you your score, right. This second is 47 million. It's not but yeah, right. I'm all about financial records, the banks track credit card transactions and stuff like that. While the health insurance companies are trying to track fraud, right, there really is no central warehouse for this information. We don't have an Equifax for health records, right? And I'm not sure I'm recommending an Equifax for health records. But because of that lack of detection, if somebody who's bad steals a health record, they can keep it active for much longer than credit cards or other types of data. And that raises the value, right?
Medical Economics: What is the most common red flag that you see that practices should really stop doing?
Johnson: I hate to say it: Stop sharing passwords. Every practice we go into, they've got passwords on post it notes on their monitors there. I was in a doctor's office and I was there for treatment, not as part of my job. I go in it was the first visit I was doing an MRI, right. And I go in I guess I'm not supposed to say that was doing MRI. But I go in and I'm signing up and the lady behind the counter was having trouble getting into the references, right? It's a she yells across the office as there's a full waiting room, right? It's like, hey, my password is not working. And the guy over and the other like the other workspace He's like, I'll use mine. And he yells back his username and it and I'm standing there like, do I write it down? Do I say it? Let's be clear. They know what I do for a living. Right? Right. They'd had a whole conversation with me about my job, right before they started yelling a password back and forth. Right? And the password was weak. So, the problem that is they're doing a practice that isn't safe, right? And that tells me they're not thinking about security. So, they're more liable to fall. Right for one of these attacks, because they're trying like, like this woman, she's yelling for a password because she's in a rush. She's got a patient standing in front of her, I get it, right. Like, yeah, you got a job, you got to do this stuff. We look for things like that. We look for bad other bad practices. The number of times I walk into a doctor's office and their computers unlocked. Right? I asked doctors now right I asked, hey, are using two factor authentication? No. Why not? Right. What? It takes five seconds to set it up and use it. Oh, it's a pain in the butt. I it's not really you get used to it, right? So, we look for stuff like that. The other thing that if I was if I was running a practice, I would look for is and I'm not I want to be very clear. I'm not saying you have hired some expensive it people. But if your entire infrastructure is run by your uncle Joe's cousin Nancy's friend, right? It's probably not secure. You know, think about who you have building these systems and running them and maintaining them. If anybody, right, right. And like I said, you don't, you don't have to go hire some fancy person. But know who they are know if they know what they're doing. Right. Right. Those are the things we look for sure.
Medical Economics: Is this only something for big institutions to worry about?
Johnson: Those little hospitals are actually getting hit more the, doctors’ practices are getting hit more. It's just not headline generating. You know, Dr. Smallwood got ransomware. That was my pediatrician. I don't know why his name popped into my head. Let's go. Right. So, you know, Dr. Smallwood got hit with ransomware isn't going to be in the New York Times I know as much as I like the guy, right? It is happening. It's actually happening at a faster rate than at the big hospital.
Medical Economics: What's the current fad in the hacking world?
Johnson: I'd say that it's still ransomware is successful. There's a whole bunch of different variants, right? You know, doctors know about viruses and, and things like that. It's the same thing, right? The flu is the flu is the flu. There’re 47 million different strains of the flu symptoms. ransomware is ransomware. But there's 47 million strains of it. And so that's the biggest thing right now that people are getting hit with. It's also the most disruptive because, you know, a lot of the attacks that happened before ransomware. The attacker had a vested interest in not breaking your system because they broke Your system, they lost access to it. And so, they were trying to keep that access. rents were flipped that on its side, and it purposely breaks the system in exchange for some form of money. And that's, that's one of the reasons why it's so much worse. We work with doctors’ offices, other industries to where they would be infected with malware for decades and not realize it. But because the malware didn't break anything, it just kept stealing data or resources.
Medical Economics: A lot of physicians almost view getting hacked as a natural disaster is going to happen. What can they do?
Johnson: I think that's a horrible attitude. I understand it! Like, being hacked is inevitable. It's not really but it is likely that you'll get hit with something. I think the Biggest thing is, don't just throw up your hands and say I can't do anything. Pay attention. Try to be more secure.
Medical Economics: What are some other common misconceptions that are out there?
Johnson: One of the most damaging misconceptions, I think, is the headlines are about the big organizations, right? They don't talk about small practices. And so, a lot of people feel that they're safe, because why would somebody attack me? Why would I'm, I'm a practice I've got maybe one doctor working there are three doctors and you got a few nurses and a PA or whatever, right? And you know, there's 10 people in this practice. Why would somebody happy Right. And the answer is because you get data. And not only do you have data, but you have resources and connections and money. And it is very unlikely that you have a dedicated security staff focused on stuff.
Medical Economics: So, if I'm a small practice in Idaho, what is my first steps? How do I get started taking control of this?
Johnson: The first step is, figure out first step is recognizing that you're a target. Okay, that people are coming after you. Second step is to figure out what you have. Okay, like the facts question. Do you have a normal old fax machine, or do you have a fax machine that's tied to your printer tied to your copyright ID or network? Okay? Find out who's managing This, right a lot of people like I, you know what I do, if I got a problem, I take it to, I don't know Best Buy, right? And I get them to fix right? Go to the Apple store and I go to the Genius Bar, they fix it, right? That's how they manage their entire practice. Or uncle, Joey's cousin names, he runs everything right? So, find out who's responsible for your systems, right? What times the physician doesn't know, somebody else in the office manages that. Finally, ask them: What are they doing? Right? What are they? How are they protecting data?
The next thing, and this is a hard one: Only keep the data you need. Everybody seems to be hoarders of data. We don't want to delete that email because I might have to prove I was right. And years from now. As an attacker, I love those computers. I break into systems, and they've got data on it from 20 years ago. And you know, the best part about that is, the social security number of that patient 20 years ago, is still their social security number. The medical records for that patient 20 years ago, they're still valid for that patient. All that kind of information is out there. Stop hoarding stuff.
Medical Economics: What should the healthcare industry as a whole be doing to raise awareness?
Raising awareness is important. One of the things I find I do when present at conferences, snd it's amazing to me how many times I get told afterwards: I didn't know people could do that. I tell stories all the time you were talking when I hacked that bank and did that or when I did this. And that's what I think the healthcare industry has to do. I think that we've seen efforts with that right of education and pushing stuff. But that really is what it boils down to is, as a whole, we need to take into account that this is important. It's serious. It's important data, it's sensitive data, not just from a privacy perspective, but from the damage we could do to people if it got out. So raise awareness and then start protecting it.