Physicians’ offices are storehouses of patient health, personal, and financial data, so even small practices are targets. Although no computer network is impenetrable, there are ways to bolster cybersecurity and respond to attacks when they happen.
It was an evening in fall 2021 when the network manager got a warning about suspicious activity in the computer system of a Pennsylvania-based primary care physicians’ group.
An encryption attack was under way in the group’s virtual servers, aiming to paralyze the network’s operating system. A hacker sent an electronic ransom note stating the physicians could have their operating system back for $250,000.
The physicians’ group commenced an investigation and restoration process that lasted for weeks.
“The incident itself is a small point in time. It’s really the ongoing mitigation that is painful,” said the practice administrator, who asked to remain unnamed due to pending legal actions over the attack.
The event happened more than a year ago, but it illustrates the state of cybersecurity in health care. Attacks on hospitals and health care systems will continue in 2023. Physicians’ offices are storehouses of patient health, personal, and financial data, so even small practices are targets. Although no computer network is impenetrable, there are ways to bolster cybersecurity and respond to attacks when they happen.
Scope of the problem
In health care, hacking is now the greatest threat to the privacy and security of patient information, according to the U.S. Department of Health and Human Services’ Office of Civil Rights (HHS-OCR).
The Pennsylvania physician group incident was one of at least 877 cyberattacks that occurred in the United States since December 2020 that were reported to HHS-OCR, which is required by law to publish a list of breaches of unsecured protected health information affecting 500 or more patients. In its 2023 Horizon Report, Fortified Health Security noted that security breaches exposed about 51.4 million patient records in 2022.
In health care, cyberattack motivation generally comes down to money. Hackers believe they will get it by encrypting data stored by entities such as physicians’ offices, hospitals and health care systems, then charging them money for the code to unlock the information. That is the concept behind ransomware, and it’s a growing and costly problem. The U.S. Department of Treasury’s Financial Crimes Enforcement Network pegged the 2021 ransomware total at $886 million.
Hackers may use known security gaps to infiltrate computer networks to install ransomware. But often people let them in by accident through phishing, or emails that trick users into revealing login information or downloading malicious software. Expect more of the same in 2023.
“None of that stuff’s going to change until (hackers) quit making money on it,” said Erich Kron, security awareness advocate for KnowBe4, a security awareness training firm based in Clearwater, Florida.
“They’re not going away because they’re so effective,” said Marissa Maldonado, CEO of Proda Technology in Atlanta, Georgia. “You know, if they work, they work, and for cybersecurity threat actors, if it works, why reinvent the wheel?”
Cyberattacks in practice
The national figures do not include the $250,000 ransom demanded of the physicians group attacked in fall 2021. With quick action to block the attack, the group did not have to pay it, and there was no evidence that patient safety was compromised, the administrator said.
The bigger burden was the stress of coping with a cyberattack while managing 50 physicians among 200 employees across eight offices, the administrator said. The group’s leaders monitored negotiations with the hacker and worked with their cyberinsurance company’s investigators. A communications team drafted messages to employees and patients. The group had approximately 300 computers and devices to scrub electronically and reconnect to the computer network.
“And all the while we had to keep our doors open. Not knowing who was going to walk in the door because we didn’t have schedules up was very, very difficult for the providers,” the administrator said. “So in total, it took about four weeks. It was a long four weeks. It felt like four years.”
Patients had heard national news about large-scale hacking incidents with retailers and banks. When they learned it happened to their doctors, some were understanding, others were not. “Huge credit to our physicians who had to manage those expectations in the room with the patients in the weeks and the months following,” the administrator said. “They were able to mitigate fears and keep the patients engaged and happy to the point where we didn’t see a mass exodus of patients or anything along those lines.”
There was no evidence that any patient data were stolen. The group offered credit monitoring for affected patients, and it now faces a lawsuit over the attack. The administrator said they never found out exactly why they were targeted or how the attacker entered their computer network. There was no specific email or program or action that was the culprit.
Setting up the defense
Experts agree that strategies for cybersecurity in 2023 are more important than ever. An enterprise-wide security risk analysis is the first step for medical organizations, from a single physician’s office to a giant health care system. It’s required under the federal Health Insurance Portability and Accountability Act (HIPAA) and is the building block for other HIPAA security requirements, yet it continues to be one of the most common HIPAA Security Rule violations. If physicians don’t know where patients’ data are, they can’t protect them, according to the HHS-OCR.
Hackers use phishing emails to steal login credentials or deliver malicious software (malware) that can compromise computers and networks in a physician practice or any other business. “Because both attack types leverage email, email systems should be the focus for additional security controls,” according to Health Industry Cybersecurity Practice: Managing Threat and Protecting Patients (HICP), which was developed by the HHS 405(d) Program and Task Force.
The report states that small health care organizations should:
Training should be required for staff and spelled out in employee handbooks, with instructions that workers should not open emails, attachments or links from unfamiliar senders. They should report suspicious emails immediately to internal or external information technology (IT) experts, according to the Medical Group Management Association.
After the Pennsylvania physicians group’s network was attacked, the group formalized email training with staff, including sample phishing emails. The training is required quarterly and employees who don’t complete it lose network access, meaning they can’t work.
“So we are very strict in what we put in place after the fact,” the administrator said. “Would that have helped us before? I honestly don’t know.”
Finding trusted partners
In smaller and independent practices, some physicians choose to oversee the technology. “You’d be surprised by how many are just trying to do it themselves,” said Jeffery Daigrepont, senior vice president at the Coker Group health care advisory firm in Alpharetta, Georgia.
When seeking a technology partner, primary care physicians in small practices may be tempted to go with someone who’s doing things cheaper, not necessarily better, Maldonado said. What’s critical is that physicians who outsource IT need to find partners with experience in health care.
Maldonado suggested starting by asking, “What are you doing from a cybersecurity risk perspective?” Physicians must complete security risk assessments for their practices, so it’s fair to ask vendors if they do security risk assessments for themselves. The HHS 405(d) Task Force guidelines show physicians what to ask in their conversations about technology products and services, Maldonado said.
Talking to other physicians about their vendors is helpful, said Clifford Stark, D.O., a New York-based sports and family medicine specialist. There also are independent online review sources, such as G2 and Gartner Peer Insights, with sections devoted to health care, said David Bennett, CEO of Object First, a firm that specializes in data security.
When selecting a vendor for an electronic medical records system, Stark suggested going with one of the bigger companies that has been in business for some time, because they will have established security measures. Ask how the vendor handles billing. Some have their own billing software, whereas some use third-party software, which poses an integration and security challenge.
“Because as we all know, any billing company has to have access to your clinical information. Plus, they’re going to have all the financial information of patients, so there are just multiple areas for (potential) breach,” Stark said.
Plan before it happens
Physician offices need a plan in place and must use it to respond to cybersecurity incidents.
The plan should describe steps to follow if malware is downloaded on a computer or if the practice has a phishing attack. For small practices, the steps may be as simple as identifying and deleting malicious emails. Identifying and remediating malware to restore computers and networks may take more time, according to the HICP.
Before an attack happens, consider how the practice would work with a low-tech approach, said Lee Kim, J.D., senior principal for cybersecurity and privacy at the Healthcare Information and Management Systems Society. “Let’s just simply take an hour or so out of our month and talk about what we would do if there’s unexpected downtime. How do we physically move patient information to the insurance company for a claim? Do we still have a fax machine for exchanging a patient’s health information with a specialist?” Kim said.
Physicians’ offices can continue practicing using electronic data backed up in at least three locations, with originals at the office, duplicates on or off site, and a long-term off-site archive, Bennett said.
They also can back up data with a pencil and paper. Keeping a written list of important names, telephone numbers and email addresses is low-tech but effective when contact information is locked inside computers due to ransomware, Bennett said.
A JAMA Health Forum study on ransomware noted that in a cyberattack “the most frequent disruption was to electronic systems, which frequently force a switch to paper charting.” That’s what happened to the physicians group that was attacked in fall 2021. The cyberattack was a shock to the physicians, and they quickly asked the question: “How am I going to see my patients?”
“We’re so reliant on this computer to give us all the information in front of us about the patient and their history and their medical problems and their labs and everything else that’s going on with them,” the administrator said. “It was a heavy, heavy lift to revert 10-plus years, to go back to paper charting and memory of what happened in the last visit in order to shape the current visit. You have to be able to pivot very quickly and come up with alternative workflows.”
Those included making lots of telephone calls, using personal computers and email accounts, connecting online via cell phone hotspots, and creating documents for physicians to record patient information and quality metrics for payers in value-based medicine.
“So it was a challenging time, but we were certainly poised to be able to manage it (because we are) an independent group that moves pretty quickly,” the administrator said.
In 2023, cybersecurity is crucial because physicians and their staff will remain under watch. Federal regulators and patients will continue requiring data to remain secure. And if physicians let down their guard, hackers remain ready to pounce.
“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” Melanie Fontes Rainer, director of HHS-OCR, said. “It is imperative that primary care physicians, their business associates and other HIPAA-regulated entities be vigilant in taking robust steps to protect their systems, data and records, and this begins with understanding their risks and taking action to prevent, mitigate and recover from cyberattacks.”